Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol The Hypertext Transfer Protocol is an Application Layer protocol for distributed, collaborative, hypermedia information systems with the SSL/TLS Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end protocol to provide encryption and secure (website security testing) identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web The World Wide Web, abbreviated as WWW and commonly known as the Web, is a system of interlinked hypertext documents accessed via the Internet. With a web browser, one can view web pages that may contain text, images, videos, and other multimedia and navigate between them by using hyperlinks. Using concepts from earlier hypertext systems, British and for sensitive transactions in corporate information systems. HTTPS should not be confused with Secure HTTP Secure Hypertext Transfer Protocol is a little-used alternative to the HTTPS URI scheme for encrypting web communications carried over HTTP. S-HTTP is defined in RFC 2660 (S-HTTP) specified in RFC 2660.
Contents |
Main idea
For more details on this topic, see Transport Layer Security#How it works Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them . and man-in-the-middle attacks In cryptography, the man-in-the-middle attack , or bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the, provided that adequate cipher suites are used and that the server certificate is verified and trusted.
The trust inherent in HTTPS is based on major certificate authorities which come pre-installed in browser software (this is equivalent to saying "I trust certificate authority (e.g. VeriSign/Microsoft/etc.) to tell me who I should trust"). Therefore an HTTPS connection to a website can be trusted if and only if In logic and related fields such as mathematics and philosophy, if and only if is a biconditional logical connective between statements. In that it is biconditional, the connective can be likened to the standard material conditional ("if") combined with its reverse ("only if"); hence the name. The result is that the truth of all of the following are true:
- The user trusts the certificate authority to vouch only for legitimate websites without misleading names.
- The website provides a valid certificate (an invalid certificate shows a warning in most browsers), which means it was signed by a trusted authority.
- The certificate correctly identifies the website (e.g. visiting https://example and receiving a certificate for "Example Inc." and not anything else [see above]).
- Either the intervening hops on the Internet are trustworthy, or the user trusts the protocol's encryption layer (TLS Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end or SSL) is unbreakable by an eavesdropper.
Browser integration
When connecting to a site with an invalid certificate, older browsers would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window. Newer browsers also prominently display the site's security information in the address bar An address bar is a widget in a web browser that either reflects the current URL or accepts typing-in a target URL. If the current URL fails to appear, move the mouse's focus away from the address bar and then refresh. Most address bars offer an auto-completion (that can be safely ignored) while the address is being typed-in. Such browser features.
Extended validation Extended Validation Certificates are a special type of X.509 certificate which requires more extensive investigation of the requesting entity by the certificate authority (CA) before being issued certificates turn the address bar green in newer browsers. Most browsers also pop up a warning to the user when visiting a site that contains a mixture of encrypted and unencrypted content.
| Many web browsers, including Firefox (shown here), use the address bar An address bar is a widget in a web browser that either reflects the current URL or accepts typing-in a target URL. If the current URL fails to appear, move the mouse's focus away from the address bar and then refresh. Most address bars offer an auto-completion (that can be safely ignored) while the address is being typed-in. Such browser features to tell the user that their connection is secure, often by coloring the background. | Most web browsers alert the user when visiting sites that have invalid security certificates. This example is from Firefox Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. As of July 2010[update], Firefox was the second most widely used browser, with 22.91% of worldwide usage share of web browsers, according to Net Applications. Other sources put Firefox's usage share between 20% and. |
Technical
Difference from HTTP
As opposed to HTTP The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web URLs In computing, a Uniform Resource Locator is a Uniform Resource Identifier (URI) that specifies where an identified resource is available and the mechanism for retrieving it. In popular usage and in many technical documents and verbal discussions it is often incorrectly used as a synonym for URI. The best-known example of a URL is the "address& which begin with "http://" and use port In computer networking, the protocols of the Transport Layer of the Internet Protocol Suite, most notably the Transmission Control Protocol and the User Datagram Protocol (UDP), but also other protocols, use a numerical identifier for the data structures of the endpoints for host-to-host communications. Such an endpoint is known as a port and the 80 by default, HTTPS URLs begin with "https://" and use port 443 In computer networking, the protocols of the Transport Layer of the Internet Protocol Suite, most notably the Transmission Control Protocol and the User Datagram Protocol (UDP), but also other protocols, use a numerical identifier for the data structures of the endpoints for host-to-host communications. Such an endpoint is known as a port and the by default.
HTTP is insecure and is subject to man-in-the-middle In cryptography, the man-in-the-middle attack , or bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the and eavesdropping Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them . attacks which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure (with the exception of older deprecated versions of SSL).
Network layers
HTTP operates at the highest layer of the OSI Model A layer is a collection of conceptually similar functions that provide services to the layer above it and receives service from the layer below it. On each layer an instance provides services to the instances at the layer above and requests service from the layer below. For example, a layer that provides error-free communications across a network, the Application layer; but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arrival. Strictly speaking, HTTPS is not a separate protocol, but refers to use of ordinary HTTP The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web over an encrypted In cryptography, encryption is the process of transforming information using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption Secure Sockets Layer Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end (SSL) or Transport Layer Security Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end (TLS) connection.
Server setup
To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate In cryptography, a public key certificate is an electronic document which uses a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual for the web server. This certificate must be signed by a trusted certificate authority In cryptography, a certificate authority or certification authority is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes for the web browser to accept it. The authority certifies that the certificate holder is indeed the entity it claims to be. Web browsers are generally distributed with the signing certificates of major certificate authorities In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority . A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a so that they can verify certificates signed by them.
Acquiring certificates
Authoritatively signed certificates may be free [1] [2] or cost between US$ The United States dollar is the official currency of the United States. The U.S. dollar is normally abbreviated as the dollar sign, $, or as USD or US$ to distinguish it from other dollar-denominated currencies and from others that use the $ symbol. It is divided into 100 cents13[3] and $1,500[4] per year.
Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet An intranet is a private computer network that uses Internet Protocol technologies to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network within an organization. Sometimes the term, or major universities). They can easily add copies of their own signing certificate to the trusted certificates distributed with the browser.
Peer-to-peer certificate authorities also exist.[citation needed]
Use as access control
The system can also be used for client authentication Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into his/her browser. Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user's identity, potentially without even entering a password.
In case of compromised private key
A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as Firefox Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. As of July 2010[update], Firefox was the second most widely used browser, with 22.91% of worldwide usage share of web browsers, according to Net Applications. Other sources put Firefox's usage share between 20% and,[5] Opera Opera is a web browser and Internet suite developed by Opera Software. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading Web feeds. Opera is offered free of charge for personal computers and mobile,[6] and Internet Explorer Windows Internet Explorer , is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and IE6 on Windows Vista Windows Vista is an operating system expressed in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs. Prior to its announcement on July 22, 2005, Windows Vista was known by its codename "Longhorn." Development was completed on November 8,[7] implement the Online Certificate Status Protocol The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a (OCSP) to verify that this is not the case. The browser sends the certificate's serial number to the certificate authority or its delegate via OCSP and the authority responds, telling the browser whether or not the certificate is still valid.[8]
Limitations
| This section may require cleanup to meet Wikipedia's quality standards. Please improve this section if you can. (April 2010) |
| This section may need to be wikified to meet Wikipedia's quality standards. Please help by adding relevant internal links, or by improving the section's layout. (April 2010) |
SSL comes in two options, simple and mutual.
The mutual flavor is more secure but requires the user to install a personal certificate in their browser in order to authenticate themselves.
Whatever strategy is used (simple or mutual) the level of protection strongly depends on the correctness of the implementation Implementation is the realization of an application, or execution of a plan, idea, model, design, specification, standard, algorithm, or policy of the web browser A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content. Hyperlinks present in resources enable users to easily navigate their browsers to and the server software and the actual cryptographic algorithms In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts are distinct in cryptography. In classical supported. See list in HTTP_Secure#Main idea.
SSL doesn't prevent the entire site from being indexed using a web crawler A Web crawler is a computer program that browses the World Wide Web in a methodical, automated manner or in an orderly fashion. Other terms for Web crawlers are ants, automatic indexers, bots, or Web spiders, Web robots, or—especially in the FOAF community—Web scutters, and the URI In computing, a Uniform Resource Identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network (typically the World Wide Web) using specific protocols. Schemes specifying a concrete syntax and associated protocols define each of the encrypted resource can be inferred by knowing only the intercepted request/response size.[9] This allows an attacker to have access to the plaintext In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is, sometimes confusingly, often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties. Plaintext has reference to the operation of cryptographic algorithms, usually encryption (the publicly-available static content), and the encrypted text In cryptography, ciphertext is the result of the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. This result is also known as encrypted information. The process to read ciphertext is known as (the encrypted version of the static content), permitting a cryptographic attack A chosen-ciphertext attack is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key.
Because SSL Transport Layer Security and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination.[10] This means that, in most cases, it is not feasible to use name-based virtual hosting Virtual hosting is a method for hosting multiple domain names on a computer using a single IP address. This allows one machine to share its resources, such as memory and processor cycles, to use its resources more efficiently with HTTPS. A solution called Server Name Indication Server Name Indication is a feature that improves the SSL and TLS protocol. It permits the client to request the domain name, before the certificate is committed to by the server. This is essential for using TLS in virtual hosting mode (SNI) exists which sends the hostname to the server before encrypting the connection, although many older browsers don't support this extension. Support for SNI is available since Firefox Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. As of July 2010[update], Firefox was the second most widely used browser, with 22.91% of worldwide usage share of web browsers, according to Net Applications. Other sources put Firefox's usage share between 20% and 2, Opera Opera is a web browser and Internet suite developed by Opera Software. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading Web feeds. Opera is offered free of charge for personal computers and mobile 8, and Internet Explorer 7 Windows Internet Explorer 7 is a web browser released by Microsoft in October 2006. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser in more than 5 years. It ships as the default browser in Windows Vista and Windows Server 2008 and is offered as a replacement for Internet on Windows Vista Windows Vista is an operating system expressed in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs. Prior to its announcement on July 22, 2005, Windows Vista was known by its codename "Longhorn." Development was completed on November 8,.[11][12][13]
If parental controls are enabled on Mac OS X, HTTPS sites must be explicitly allowed using the Always Allow list.[14]
From a achitectural point of view:
1- An SSL connection is managed by the first front machine which initiate the SSL connection. If for any reasons (routing, traffic optimization, etc.) this front machine is not the application server and it has to decipher data, solutions have to be found to propagate user authentication informations or certifcate to the application server which needs to know who is going to be connected.
2- For SSL with mutual authentication, the SSL session is managed by the first server which initiates the connection. In situations where encryption has to be propagated along chained servers, session timeOut management becomes extremely tricky to implement.
3- With mutual SSL, security is maximal, but on the client-side, there is no way to properly end the SSL connection and disconnect the user except by waiting for the SSL server session to expire or closing all related client applications.
4- For performance reasons static contents are usually delivered through a non-crypted front server or separate server instance with no SSL, as a consequence these contents are usually not protected.
History
Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.[15] Originally, HTTPS was used with SSL encryption. As SSL evolved into Transport Layer Security (TLS), the current version of HTTPS was formally specified by RFC 2818 in May 2000.[16]
See also
|
GoPSUsports.com
... at 3:00 pm on the suburban Philadelphia campus. For complete coverage of Penn State women's soccer, please visit http ://www.GoPSUsports.com/sports/w-soccer.
and more »
Thu, 13 Aug 2009 16:26:15 PDT
Iron Browser: A Secure Alternative to Google Chrome by Britec For those who are tempted to use Google Chrome, but are concerned about your privacy ... youtube.com.
unknown
Sat, 26 Jun 2010 22:27:34 GM
F . Secure. Internet Security 2010 10 00 HF. HF . http. ://hotfile.com/dl/44464797/95c2c13/F-. Secure. .Internet.Security.2010.10.00.exe.html. Sun, 27 Jun 2010 00:23:34 +0200. Hint: To add an image use: [img=. http. ://example.com/img.jpg] ...
