What is HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS allows secure ecommerce transactions, such as online banking.
Web browsers such as Internet Explorer and Firefox display a padlock icon to indicate that the website is secure, as it also displays https:// in the address bar.
When a user connects to a website via HTTPS, the website encrypts the session with a digital certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.
HTTP and HTTPS
You click to check out at an online merchant. Suddenly your browser address bar says HTTPS instead of HTTP. What's going on? Is your credit card information safe?
Good news. Your information is safe. The website you are working with has made sure that no one can steal your information.
Instead of HyperText Transfer Protocol (HTTP), this website uses HyperText Transfer Protocol Secure (HTTPS).
Using HTTPS, the computers agree on a "code" between them, and then they scramble the messages using that "code" so that no one in between can read them. This keeps your information safe from hackers.
They use the "code" on a Secure Sockets Layer (SSL), sometimes called Transport Layer Security (TLS) to send the information back and forth.
How does HTTP work? How is HTTPS different from HTTP? This article will teach you about SSL, HTTP and HTTPS.
How Does HTTP Work?
In the beginning, network administrators had to figure out how to share the information they put out on the Internet.
They agreed on a procedure for exchanging information and called it HyperText Transfer Protocol (HTTP).
Once everyone knew how to exchange information, intercepting on the Internet was not difficult. So knowledgeable administrators agreed upon a procedure to protect the information they exchanged. The protection relies on SSL certificates to encrypt the online data. Encryption means that the sender and recipient agree upon a "code" and translate their documents into random-looking character strings.
The procedure for encrypting information and then exchanging it is called HyperText Transfer Protocol Secure (HTTPS).
With HTTPS if anyone in between the sender and the recipient could open the message, they still could not understand it. Only the sender and the recipient, who know the "code," can decipher the message.
Humans could encode their own documents, but computers do it faster and more efficiently. To do this, the computer at each end uses a document called an "SSL certificate" containing character strings that are the keys to their secret "codes."
SSL certificates contain the computer owner's "public key."
The owner shares the public key with anyone who needs it. Other users need the public key to encrypt messages to the owner. The owner sends those users the SSL certificate, which contains the public key. The owner does not share the private key with anyone.
The security during the transfer is called the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
The procedure for exchanging public keys using SSL certificates to enable HTTPS, SSL and TLS is called Public Key Infrastructure (PKI).
SSL Protocol
A highly-simplified example of encrypting using SSL certificates.
Sara (the sender) wants to send an encrypted email to Rajiv (the recipient). First Rajiv sends Sara a copy of his SSL certificate. In this highly-simplified example, the public key in Rajiv's SSL certificate is "+1." The private key, which stays in Rajiv's computer, is also "+1."
So Sara composes a message to Rajiv. It says, "Hi--Sara." Then she instructs her computer to use Rajiv's SSL certificate to encrypt the message. The computer reads Rajiv's public key and adds +1 to each letter in the message.
For example, A+1=B, B+1=C, and so forth.
The encrypted message looks like this:
HI - SARA becomes IJ - TBSB
Anyone who reads the message along the way cannot understand it, because they do not have Rajiv's SSL certificate.
When Rajiv receives the message, his computer subtracts one from each letter in the message. It is again perfectly readable.
In real life, the public and private keys must be different.
The example above is simplified. It shows identical public and private keys. The problem with this example is that if Rajiv has identical keys, and if he sends Sara his SSL certificate, then she can decrypt messages he receives from other people. He cannot send her his public key if it is the same as his private key; otherwise she could decrypt all Rajiv's messages.
To protect Internet users, public keys are similar to, but not identical to, private keys. If Rajiv sends his public key to Sara in an SSL certificate, Sara's computer will have enough information to encrypt a message so that only Rajiv's private key can decrypt it.
Here is Rajiv's public key:
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673 CA2B 4003 C266 E2CD CB02 0301 0001
It hints at, but does not expose, the contents of Rajiv's private key. Rajiv can confidently send this key to Sara. He does not worry that she will be able to guess his private key. Although they are similar, because the keys are so long and complicated, it is computationally infeasible to calculate the private key from the public key.
Based on this public key, Sara's computer uses an algorithm to translate her message into an equally unintelligible string of characters, which only Rajiv will be able to decrypt only with his private key.
A simplified example of HTTP
Waldo is a webmaster. He sets up a domain, www.waldossite.com, which is a blog that allows people to donate to charity.
In order for his communications on the Internet to be understood, www.waldossite.com abides by the HyperText Transfer Protocol (HTTP). This is a set of rules governing how servers - the computers where the information on Waldo's website is stored-communicate with clients-end users, or site visitors.
Sara browses in Waldo's site, and decides to donate money to Waldo's favorite charity. She pulls out her credit card and clicks "donate now."
A window opens up. In the address bar, Sara sees
http://www.waldossite.com/donatenow.php
Sara clicks that window shut and leaves the website. Why? Because www.waldossite.com has not promised to encrypt her information. She would have been putting her credit card number and her name out on the Internet in plain text, where anyone might be able to read it and steal it. Sara wanted her information to be encrypted, and www.waldossite.com was not a secure site.
Encryption experts call non-encrypted text "plaintext"
What could Waldo have done to keep Sara on his site?
Where's Waldo's SSL certificate?
According to the HTTP standards, there are strict rules governing how clients and servers interact. Nothing in those standards, though, says that communication on either end needs to be encrypted.
Even if the protocol doesn't demand encryption, Sara does. To keep people like Sara from leaving, Waldo can encrypt his website, or parts of it, if he wants. He can use an SSL certificate, just the way Sara and Rajiv did.
If Waldo uses an SSL certificate to encrypt his website, the address that will show up in the browser bar will say https://www.waldossite.com. The HTTPS stands for HyperText Transfer Protocol Secure.
Now that he has an SSL certificate, the https: at the beginning of Waldo's website address tells the visitor that the information that the visitor enters on the website is securely encrypted. No one else can read the confidential information on it.
It's a good practice to check a website's certificate, just in case you've landed at a spoof website, sometimes called a "phishing" site. Click on the padlock. Your browser will show you the name of the owner of the certificate. It should match the name of the website.
And if Waldo uses a special SSL certificate called an EV SSL certificate, then his browser will recognize the certificate and turn the address bar green, another signal to Sara that Waldo's is a safe website.
Congratulations! You now know more about HTTP, HTTPS and SSL certificates than most Internet users! This will help you protect yourself when you browse on the Internet.
Credit to : Instant SSL and Wikipedia
0 comments:
Post a Comment