What is HTTPS (Hypertext Transfer Protocol Secure)?


Hypertext Transfer Protocol Secure (HTTPS) is a protocol with which websites and data can be encrypted and securely exchanged between web servers and web browsers on the Internet. It uses end-to-end encryption and authentication.

The abbreviation HTTPS stands for Hypertext Transfer Protocol Secure. It is a protocol for the secure transmission of information on the Internet. It is mainly used for encrypted communication between a user’s web browser and the web server.

HTTPS was originally developed by Netscape and published in their browser. Today all popular browsers support HTTPS. The installation of additional software is not necessary. With the Hypertext Transfer Protocol Secure, confidentiality and integrity can be established when exchanging data between client and server on the World Wide Web. The protocol uses end-to-end encryption and authentication for this.

From a technical point of view, the protocol inserts an additional layer between HTTP (Hypertext Transfer Protocol) and TCP ( Transmission Control Protocol ). With the help of authentication, the communication partners can check the identity of the other when establishing the connection. This prevents phishing or man-in-the-middle attacks.

As a rule, only the requested web server authenticates itself; client authentication is also possible, but is rarely used. Encrypted connections can be recognized in the address line of the browser starting with „https: //” instead of „http: //”. In addition, the browser displays symbols in front of the address, such as a lock as an indication of an encrypted connection.

How the Hypertext Transfer Protocol Secure works

The Hypertext Transfer Protocol Secure uses TLS ( Transport Layer Security ) as an intermediate layer between HTTP and TCP. TLS uses various mechanisms for the secure connection. Communication partners authenticate themselves using certificates. The certificates are issued by a trustworthy authority, a so-called Certificate Authority (CA). The actual communication is encrypted by a session key that is only valid for the respective session.

Usually only the service provider (web server) authenticates itself to the client with a certificate. This ensures that the user is actually connected to the web server that he has addressed. As far as the actual retrieval of the Internet pages from the web server is concerned, HTTPS is identical to HTTP. Pages are requested via requests and then delivered by the server with its response.

The Hypertext Transfer Protocol Secure uses port 443 as the standard port.Unencrypted HTTP is usually carried out via port 80. A web server needs an SSL library such as OpenSSL in order to be able to deliver pages via HTTPS. In almost all common web hosting installations, an SSL library is either already included or can be easily retrofitted.

Use of the Hypertext Transfer Protocol Secure

The main application for the Hypertext Transfer Protocol Secure is the secure transmission of web pages on the Internet. The use of HTTPS is also being pushed by search providers such as Google, as encrypted pages are rewarded with better positions in the result lists. The increasing use of open, usable for the general public WLANs contributes to the spread of HTTPS, as wireless -User can protect the end-to-end encrypted connections from unauthorized interception of other Wi-Fi users. The content is then encrypted independently of the WLAN protocol. Since TLS represents its own intermediate layer between TCP and protocols of higher layers, it can be used to secure other protocols such as SMTPS, IMAPS and FTPS.

Special features and security aspects of the Hypertext Transfer Protocol Secure

With the Hypertext Transfer Protocol Secure, the trustworthiness of the identity of the server largely depends on the authenticity of the certificate. The web browser must decide whether the identity of the web server can be trusted using a list of trusted CAs and a validity date. However, improper work by the certification authorities or illegally acquired certificates can compromise the secure authentication of the Hypertext Transfer Protocol Secure.