HTTP Secure

From Wikipedia, the free encyclopedia

Jump to: navigation, search
HTTP
Persistence · Compression · HTTP
Secure
Headers
ETag · Cookie · Referrer · Location
Status codes
301 Moved permanently
302 Found
303 See Other
403 Forbidden
404 Not Found
This box: view • talk • edit
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext
Transfer Protocol with the SSL/TLS protocol to provide encryption and secure
identification of the server. HTTPS connections are often used for payment transactions
on the World Wide Web and for sensitive transactions in corporate information systems.
HTTPS should not be confused with Secure HTTP (S-HTTP) specified in RFC 2660.
Contents
• 1 Main idea
o 1.1 Browser integration
• 2 Technical
o 2.1 Difference from HTTP
o 2.2 Network layers
o 2.3 Server setup
 2.3.1 Acquiring certificates
 2.3.2 Use as access control
 2.3.3 In case of compromised private key
o 2.4 Limitations
• 3 History
• 4 See also
• 5 References
• 6 External links
[edit] Main idea
For more details on this topic, see Transport Layer Security#How it works.
The main idea of HTTPS is to create a secure channel over an insecure network. This
ensures reasonable protection from eavesdroppers and man-in-the-middle attacks,
provided that adequate cipher suites are used and that the server certificate is verified and
trusted.
The trust inherent in HTTPS is based on major certificate authorities which come pre-
installed in browser software (this is equivalent to saying "I trust certificate authority (e.g.
VeriSign/Microsoft/etc.) to tell me who I should trust"). Therefore an HTTPS connection
to a website can be trusted if and only if all of the following are true:
1. The user trusts the certificate authority to vouch only for legitimate websites
without misleading names.
2. The website provides a valid certificate (an invalid certificate shows a warning in
most browsers), which means it was signed by a trusted authority.
3. The certificate correctly identifies the website (e.g. visiting https://example and
receiving a certificate for "Example Inc." and not anything else [see above]).
4. Either the intervening hops on the internet are trustworthy, or the user trusts the
protocol's encryption layer (TLS or SSL) is unbreakable by an eavesdropper.
[edit] Browser integration
When connecting to a site with an invalid certificate, older browsers would present the
user with a dialog box asking if they wanted to continue. Newer browsers display a
warning across the entire window. Newer browsers also prominently display the site's
security information in the address bar.
Extended validation certificates turn the address bar green in newer browsers. Most
browsers also pop up a warning to the user when visiting a site that contains a mixture of
encrypted and unencrypted content.

Many web browsers use the address bar to tell Most web browsers alert the user when
the user that their connection is secure, often visiting sites that have invalid security
by coloring the background. certificates.
[edit] Technical
[edit] Difference from HTTP
As opposed to HTTP URLs which begin with "http://" and use port 80 by default, HTTPS
URLs begin with "https://" and use port 443 by default.
HTTP is insecure and is subject to man-in-the-middle and eavesdropping attacks which
can let attackers gain access to website accounts and sensitive information. HTTPS is
designed to withstand such attacks and is secure (except for old deprecated versions of
SSL).
[edit] Network layers
HTTP operates at the highest layer of the OSI Model, the Application layer; but the
security protocol operates at a lower sublayer, encrypting an HTTP message prior to
transmission and decrypting a message upon arrival. Strictly speaking, HTTPS is not a
separate protocol, but refers to use of ordinary HTTP over an encrypted Secure Sockets
Layer (SSL) or Transport Layer Security (TLS) connection.
[edit] Server setup
To prepare a web server to accept HTTPS connections, the administrator must create a
public key certificate for the web server. This certificate must be signed by a trusted
certificate authority for the web browser to accept it. The authority certifies that the
certificate holder is indeed the entity it claims to be. Web browsers are generally
distributed with the signing certificates of major certificate authorities so that they can
verify certificates signed by them.
[edit] Acquiring certificates
Authoritatively signed certificates may be free [1] [2] or cost between US$13[3] and
$1,500[4] per year.
Organizations may also run their own certificate authority, particularly if they are
responsible for setting up browsers to access their own sites (for example, sites on a
company intranet, or major universities). They can easily add copies of their own signing
certificate to the trusted certificates distributed with the browser.
Peer-to-peer certificate authorities also exist.[citation needed]
[edit] Use as access control
The system can also be used for client authentication in order to limit access to a web
server to authorized users. To do this, the site administrator typically creates a certificate
for each user, a certificate that is loaded into his/her browser. Normally, that contains the
name and e-mail address of the authorized user and is automatically checked by the
server on each reconnect to verify the user's identity, potentially without even entering a
password.
[edit] In case of compromised private key
A certificate may be revoked before it expires, for example because the secrecy of the
private key has been compromised. Newer versions of popular browsers such as Firefox,
[5]
Opera,[6] and Internet Explorer on Windows Vista[7] implement the Online Certificate
Status Protocol (OCSP) to verify that this is not the case. The browser sends the
certificate's serial number to the certificate authority or its delegate via OCSP and the
authority responds, telling the browser whether or not the certificate is still valid.[8]
[edit] Limitations
The level of protection depends on the correctness of the implementation of the web
browser and the server software and the actual cryptographic algorithms supported. See
list in HTTP_Secure#Main idea.
Also, HTTPS is vulnerable when applied to publicly-available static content. The entire
site can be indexed using a web crawler, and the URI of the encrypted resource can be
inferred by knowing only the intercepted request/response size.[9] This allows an attacker
to have access to the plaintext (the publicly-available static content), and the encrypted
text (the encrypted version of the static content), permitting a cryptographic attack.
Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL
servers can only strictly present one certificate for a particular IP/port combination.[10]
This means that, in most cases, it is not feasible to use name-based virtual hosting with
HTTPS. A solution called Server Name Indication (SNI) exists which sends the hostname
to the server before encrypting the connection, although many older browsers don't
support this extension. Support for SNI is available since Firefox 2, Opera 8, and Internet
Explorer 7 on Windows Vista.[11][12][13]
If parental controls are enabled on Mac OS X, HTTPS sites must be explicitly allowed
using the Always Allow list.[14]
[edit] History
Netscape Communications created HTTPS in 1994 for its Netscape Navigator web
browser.[15] Originally, HTTPS was used with SSL encryption. As SSL evolved into
Transport Layer Security (TLS), the current version of HTTPS was formally specified by
RFC 2818 in May 2000.[16]
[edit] See also
• AAA protocol
• Computer security
• Secure Hypertext Transfer Protocol
• Stunnel
[edit] References
1. ^ "Free SSL Certificates from a Free Certificate Authority". sslshopper.com.
http://www.sslshopper.com/article-free-ssl-certificates-from-a-free-certificate-
authority.html. Retrieved 2009-10-24.
2. ^ Justin Fielding (2007-07-16). "Secure Outlook Web Access with (free) SSL:
Part 1". TechRepublic. http://blogs.techrepublic.com/networking/?
p=293&tag=rbxccnbtr1. Retrieved 2009-10-24.
3. ^ "SSL Certificate Services". Go Daddy.
http://www.godaddy.com/gdshop/compare/gdcompare_ssl.asp?isc=sslqgo002b.
Retrieved 6 May 2009.
4. ^ "Secure Site Pro with EV". VeriSign. http://www.verisign.com/ssl/buy-ssl-
certificates/extended-validation-pro-ssl-certificates/index.html. Retrieved 6 May
2009.
5. ^ "Mozilla Firefox Privacy Policy". Mozilla Foundation. 27 April 2009.
http://www.mozilla.com/en-US/legal/privacy/firefox-en.html. Retrieved 13 May
2009.
6. ^ "Opera 8 launched on FTP". Softpedia. 19 April 2005.
http://news.softpedia.com/news/Opera-8-launched-on-FTP-1330.shtml. Retrieved
13 May 2009.
7. ^ Lawrence, Eric (31 January 2006). "HTTPS Security Improvements in Internet
Explorer 7". MSDN. http://msdn.microsoft.com/en-us/library/bb250503.aspx.
Retrieved 13 May 2009.
8. ^ Myers, M; Ankney, R; Malpani, A; Galperin, S; Adams, C (June 1999). "Online
Certificate Status Protocol - OCSP". Internet Engineering Task Force.
http://tools.ietf.org/html/rfc2560. Retrieved 13 May 2009.
9. ^ Pusep, Stanislaw (31 July 2008). "The Pirate Bay un-SSL".
http://sysd.org/stas/node/220. Retrieved 6 March 2009.
10. ^ Apache FAQ: Why can't I use SSL with name-based/non-IP-based virtual
hosts?
11. ^ Lawrence, Eric (22 October 2005). "Upcoming HTTPS Improvements in
Internet Explorer 7 Beta 2". Microsoft.
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx. Retrieved 12 May
2009.
12. ^ Server Name Indication (SNI)
 13. ^ Mozilla 1.8
14. ^ Mac OS X 10.5: About the Parental Controls Internet content filter
15. ^ Walls, Colin (2005). Embedded software. pp. 344.
http://books.google.com/books?id=FLvsis4_QhEC&pg=PA344.
16. ^ Rescorla, E (May 2000). "HTTP Over TLS". Internet Engineering Task Force.
http://tools.ietf.org/html/rfc2818. Retrieved 6 May 2009.
[edit] External links
• RFC 2818: HTTP Over TLS
• SSL 3.0 Specification (IETF)
• Apache-SSL homepage (No longer actively developed)
• Apache 2.2 mod_ssl documentation
• HTTPS Protocol in Internet Explorer Development - MSDN
• Manually Configuring Windows Communication Foundation (WCF) when using
HTTP and HTTPS - MSDN
• HTTPS Security Improvements in Internet Explorer 7 & its Compatibility Impact
- MSDN
• View this Wikipedia article (and others) with HTTPS/SSL encryption
• curl-loader - HTTPS loading/testing open-source SW

v•d•e
URI scheme

aaa · aaas · acap · cap · cid · crid · data · dav · dict · dns · fax · file · ftp ·
go · gopher · h323 · http · https · im · imap · Info · ldap · mailto · mid ·
Official
news · nfs · nntp · pop · pres · rtsp · sip · sips · snmp · tag · tel · telnet ·
urn · wais · xmpp

about · afp · aim · apt · bolo · bzr · callto · cel · cvs · daap · disk · ed2k ·
feed · fish · gg · git · gizmoproject · iax2 · irc · ircs · itms · lastfm · ldaps ·
Unofficial magnet · mms · msnim · psyc · rsync · secondlife · skype · ssh · svn · sftp ·
smb · sms · soldat · steam · unreal · ut2004 · view-source · vzochat ·
webcal · winamp · wyciwyg · xfire · ymsgr

Protocol List
Retrieved from "http://en.wikipedia.org/wiki/HTTP_Secure"
Categories: HTTP | Cryptographic protocols | Secure communication | URI scheme
Hidden categories: All articles with unsourced statements | Articles with unsourced
statements from September 2009
Views
• Article
• Discussion
• Edit this page
• History
Personal tools
• Try Beta
 • Log in / create account

Navigation
• Main page
• Contents
• Featured content
• Current events
• Random article
Search
Go Search

Interaction
• About Wikipedia
• Community portal
• Recent changes
• Contact Wikipedia
• Donate to Wikipedia
• Help
Toolbox
• What links here
• Related changes
• Upload file
• Special pages
• Printable version
• Permanent link
• Cite this page
Languages
• Afrikaans
• Català
• Česky
• Dansk
• Deutsch
• Ελληνικά
• Español
• Euskara
• Français
• 한국어
• Bahasa Indonesia
• Italiano
• Қазақша
• Magyar
• Nederlands
• 日本語
• Norsk (bokmål)
• Polski
• Português
• Română
• Русский
• Slovenčina
• Slovenščina
• Suomi
• Svenska
• Türkçe
• Українська
• 中文

• This page was last modified on 5 March 2010 at 14:50.

• Text is available under the Creative Commons Attribution-ShareAlike License;
additional terms may apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-
profit organization.
• Contact us
• Privacy policy
• About Wikipedia
• Disclaimers