HTTPS
HTTPS
stands for “Hyper Text Transfer Protocol Secure”.
What is HTTPS?
HTTPS is
a protocol, which is used for communication between web browser and web server.
HTTPS is secure version of HTTP.
Purpose of HTTPS
HTTPS
provides the confidentiality and integrity of data between the user's computer
and the website. HTTPS encrypt URL, username, password and sensitive
information of user.
What is the default port number of HTTPS?
443 is
default port number of HTTPS.
Is search engine uses HTTP or HTTPS?
Search engine uses HTTPS.
Working of HTTPS
Figure: How HTTPS works? |
In above
figure user interact with server and server user secure https, it shows secure
connection between client and server. SSL certificate is added at
server side. So, http use SSL, it converts into https. Connection is secured,
it means all the data in encrypted from during transmission. Hacker or attacker
cannot get any information from that connection.
When HTTPS
is used, the following elements are encrypted during communication:
URL of
the requested document
Contents
of the document
Contents
of browser forms (filled in by browser user)
Cookies
sent from browser to server and from server to browser
Contents
of HTTP header
HTTPS Connection
HTTPS connection execute in three phases: Connection Initiation, Data Transfer, Connection Closure.
Figure: HTTPS Connection Phases |
Connection Initiation
HTTPS
uses TLS handshake protocol to establish a connection between client and
server.
Client
Hello to server: Client sends hello request to server to start
connection initiation.
Digital Certificate
shared by server: Server shares its digital certificate with client
for the purpose to share a public key of server.
Secret
Key share with server: Client generates secret key and share with
server. This secret key is encrypted using server’s public key. It is decrypt
using only server’s private key.
End
handshaking: When connection is established TLS handshake end.
We need
to be clear that there are three levels of awareness of a connection in HTTPS: At
the HTTP level, At the level of TLS, At the level of TCP.
At the
HTTP level, an HTTP client requests a connection to an HTTP server by sending a
connection request to the next lowest layer. Typically, the next lowest layer
is TCP, but it also may be TLS/SSL. At the level of TLS, a session is
established between a TLS client and a TLS server. This session can support one
or more connections at any time. As we have seen, a TLS request to establish a
connection begins with the establishment of a TCP connection between the TCP
entity on the client side and the TCP entity on the server side.
Data Transfer
Data
Transfer should be done by HTTP Request with TLS application data. All HTTP
data is to be sent as TLS application data. Normal HTTP behaviour, including
retained connections, should be followed.
Connection Closure
Connection
closure should be done by three levels: HTTP Level, TLS Level, TCP Level.
An HTTP
client or server can indicate the closing of a connection by including the following
line in an HTTP record: Connection: close. This indicates that the connection
will be closed after this record is delivered. The closure of an HTTPS
connection requires that TLS close the connection with the peer TLS entity on
the remote side, which will involve closing the underlying TCP connection. At
the TLS level, the proper way to close a connection is for each side to use the
TLS alert protocol to send a close_notify alert. TLS implementations must
initiate an exchange of closure alerts before closing a connection.
A TLS
implementation may, after sending a closure alert, close the connection without
waiting for the peer to send its closure alert, generating an “incomplete close”.
Note that an implementation that does this may choose to reuse the session. This
should only be done when the application knows (typically through detecting HTTP
message boundaries) that it has received all the message data that it cares
about. HTTP clients also must be able to cope with a situation in which the
underlying TCP connection is terminated without a prior close_notify alert and without
a Connection: close indicator. Such a situation could be due to a programming
error on the server or a communication error that causes the TCP connection to
drop. However, the unannounced TCP closure could be evidence of some sort of
attack. So the HTTPS client should issue some sort of security warning when
this occurs.
Difference between HTTP and HTTPS (HTTP vs
HTTPS)
To learn more about Socket Programming Functions, Click here
Watch more videos click here.
No comments:
Post a Comment