If you need to know why use HTTPS there are numerous reasons.
There are many benefits to upgrading to HTTPS, including better search engine listings and performance. You also
will be able to use more functionality in browsers. HTTPS is once of the three core requirements to be a
progressive web app.
HTTPS is also required to unlock modern browser features like service workers and hardware APIs like WebUSB and Bluetooth access.
SSL means secure socket layer. But that protocol has been deprecated and replaced by Transport Layer Security (TLS). Because so many got used to using the SSL acronym we still use it, the two are interchangeable today, but the actual encryption is TLS, not SSL today.
In the past SSL certificates were expensive. That has changed today as most certificates are free. If you pay for a certificate you are buying a certificate with a more rigorous screening process and possibly insurance.
So how does HTTPS or SSL work?
HTTPS is a secure form of the HTTP protocol. It wraps an encrypted layer around HTTP, Transport Layer Security
(TLS). Clients and servers communicate using HTTP it is now secure because of the TLS wrapper.
Why is HTTPS important?
What Is the Difference Between HTTPS and HTTP?
Is HTTPS Secure?
Is HTTPS Encrypted?
Attackers can't read the data crossing the wire and you know you are talking to the server you think you are
HTTPS is an acronym that stands for Hyper Text Transport Protocol Secure. The 'secure' part is important
because it makes a huge difference.
HTTP is 'plain text', or a binary file (like an image) anyone can read or see.
HTTPS is based on public/private-key cryptography. There is a key pair:
The public key is used for encryption
The secret private key is required for decryption.
A certificate is a public key with a label identifying the owner.
How HTTP Works
Before diving into how HTTPS works, let's review how HTTP works.
HTTP is a request response protocol to communicate asynchronously between client and server.
For websites and pages the browser acts as a client and a web-server like Apache or IIS acts as server. The server hosts the files (like html , audio , video files etc) and returns are responds to client requests with the data. Depending on the request a response contains the status of the request.
The process involves a series of messages that go back and forth between the client and server. The process starts with initiating a connection. After that a process known as TCP slow start kicks in. At this point data is passed between the two parties via data packets and often requires multiple round trips.
TCP slow start is designed to gradually expand the amount of data traversing the wire each round trip. The initial packet size is 16kb and doubles on subsequent round trips until a max size is reached. This can vary, but tends to be around 4MB for most connections.
This process is used because the server does not know how much bandwidth the client can handle. Rather than overflowing the client the server uses a gentle size and continues to increase until a limit is found.
The HTTPS Stack
HTTPS requires a TLS certificate to be installed on your server. You can apply certificates to different protocols, like HTTP (web), SMTP (email) and FTP. An SSL or TLS certificate works by storing your randomly generated keys (public and private) in your server. The public key is verified with the client and the private key used in the decryption process.
HTTP is just a protocol, but when paired with TLS or transport layer security it becomes encrypted.
You may know TLS by another acronym, SSL. Secure socket layer or SSL was the original way we secured the Internet.
As we evolved our standards, we retired SSL, but the acronym remains the more popular term for TLS.
If you look at a network Stack diagram HTTP is at the top, on top of TLS, which sits on top of the TCP and IP
I know those are a lot of acronyms but don't worry.
When HTTP is combined with TLS you get HTTPS This secure version of HTTP.
The HTTPS Handshake
When your browser connects to an HTTPS server, the server will answer with its certificate. The browser checks if
the certificate is valid:
the owner information need to match the server name that the user requested.
the certificate needs to be signed by a trusted certification authority.
If one of these conditions is not met, the user is informed about the problem.