Hypertext Transfer Protocol over Secure Socket Layer or HTTPS according to abbreviationfinder is a URI scheme used to indicate that a secure HTTP connection has been made. It is syntactically identical to the http:// scheme commonly used to access resources through the HTTP protocol. Using the https: URL indicates that the HTTP protocol should be used but that a different TCP port (443) should be used by default and that an additional layer should be inserted between the HTTP and TCP protocol which obfuscates and include identification functions. This system was developed by Netscape to provide confirmation of identity and encrypted communications and is used all over the World Wide Web for the security of sensitive communications such as payment transactions and corporate subscriptions.

Operation

Strictly speaking, https is not a separate protocol but refers to the combination of a normal HTTP interaction over a veiled SSL or TCLS connection. This ensures a reasonable degree of protection against eavesdroppers and man-in-the-middle type attacks.

An https: URL can request a specific TCP port ; if not, the connection is made through port 443 (usually HTTP uses port 80).

To prepare a web server to accept https connections the administrator must create a public key certificate for the web server. These certificates can be created for Unix-based servers with utilities such as OpenSSL’s ssl-ca [1] or with SuSE’s gensslcert. This certificate must be signed by a certification authority of some kind who can confirm that the certificate does indeed belong to the relevant institution. Web browsers are usually distributed with the certificates of the most well-known certificate authorities so that they can verify certificates signed by them.

Organizations can also manage their own certificate authorities, especially if they are responsible for configuring web browsers to access their own sites (such as, for example, sites on a company’s intranet). This then enables them to easily add their own signing certificates to the certificates distributed with the browser.

Some sites, especially those run as a hobby, use self-signed certificates on public sites. These sites do protect against simple eavesdropping, but unlike the known certificates, this method requires another secure method to confirm the authenticity of the certificate if it wants to protect against man-in-the-middle type attacks.

The system can also be used to confirm a customer’s identity in order to restrict access to a web server to only authorized users. To do this the site administrator will create a certificate for each user and load it into their browser. These certificates contain the name and email address of the authorized user and are automatically checked by the server with each connection to confirm the user’s identity, often without the use of a password.

Restrictions

The level of protection largely depends on the implementation by the web browser and the server software and the cryptographic algorithm supported.

https only protects data in transit from eavesdropping and man-in-the-middle attacks. Once the data has reached its destination, it is only as secure as the computer it resides on.

https is insecure when applied to publicly available static content. An index of the site can be set up by a program and the URI of the obfuscated resource can be deduced by only making inferences from the intercepted request/response sizes. This makes it possible for an intruder to gain access to the plaintext (the publicly available content) as well as the obfuscated text.

Because SSL works under http and has no knowledge of any higher level protocols, SSL servers can strictly speaking provide only one certificate for a particular IP/ port combination. This means that in many cases it is not possible to use virtual servers with https.

The latest version of Internet Explorer has increased the number of warnings that appear if certificates are not registered. The costs associated with registering certificates on the so-called root chains can amount to between R200 and slightly more than R10 000.

What is HTTPS