Chirag's Blog: HTTPS | What is HTTPS | HTTPS Connection | Working of HTTPS | HTTP vs HTTPS

HTTPS

HTTPS stands for “Hyper Text Transfer Protocol Secure”.

What is HTTPS?

HTTPS is a protocol, which is used for communication between web browser and web server. HTTPS is secure version of HTTP.

Purpose of HTTPS

HTTPS provides the confidentiality and integrity of data between the user's computer and the website. HTTPS encrypt URL, username, password and sensitive information of user.

What is the default port number of HTTPS?

443 is default port number of HTTPS.

Is search engine uses HTTP or HTTPS?

Search engine uses HTTPS.

Working of HTTPS

Figure: How HTTPS works?

In above figure user interact with server and server user secure https, it shows secure connection between client and server. SSL certificate is added at server side. So, http use SSL, it converts into https. Connection is secured, it means all the data in encrypted from during transmission. Hacker or attacker cannot get any information from that connection.

When HTTPS is used, the following elements are encrypted during communication:

URL of the requested document

Contents of the document

Contents of browser forms (filled in by browser user)

Cookies sent from browser to server and from server to browser

Contents of HTTP header

HTTPS Connection

HTTPS connection execute in three phases: Connection Initiation, Data Transfer, Connection Closure.

Figure: HTTPS Connection Phases

Connection Initiation

HTTPS uses TLS handshake protocol to establish a connection between client and server.

Client Hello to server: Client sends hello request to server to start connection initiation.

Digital Certificate shared by server: Server shares its digital certificate with client for the purpose to share a public key of server.

Secret Key share with server: Client generates secret key and share with server. This secret key is encrypted using server’s public key. It is decrypt using only server’s private key.

End handshaking: When connection is established TLS handshake end.

We need to be clear that there are three levels of awareness of a connection in HTTPS: At the HTTP level, At the level of TLS, At the level of TCP.

At the HTTP level, an HTTP client requests a connection to an HTTP server by sending a connection request to the next lowest layer. Typically, the next lowest layer is TCP, but it also may be TLS/SSL. At the level of TLS, a session is established between a TLS client and a TLS server. This session can support one or more connections at any time. As we have seen, a TLS request to establish a connection begins with the establishment of a TCP connection between the TCP entity on the client side and the TCP entity on the server side.

Data Transfer

Data Transfer should be done by HTTP Request with TLS application data. All HTTP data is to be sent as TLS application data. Normal HTTP behaviour, including retained connections, should be followed.

Connection Closure

Connection closure should be done by three levels: HTTP Level, TLS Level, TCP Level.

An HTTP client or server can indicate the closing of a connection by including the following line in an HTTP record: Connection: close. This indicates that the connection will be closed after this record is delivered. The closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection. At the TLS level, the proper way to close a connection is for each side to use the TLS alert protocol to send a close_notify alert. TLS implementations must initiate an exchange of closure alerts before closing a connection.

A TLS implementation may, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an “incomplete close”. Note that an implementation that does this may choose to reuse the session. This should only be done when the application knows (typically through detecting HTTP message boundaries) that it has received all the message data that it cares about. HTTP clients also must be able to cope with a situation in which the underlying TCP connection is terminated without a prior close_notify alert and without a Connection: close indicator. Such a situation could be due to a programming error on the server or a communication error that causes the TCP connection to drop. However, the unannounced TCP closure could be evidence of some sort of attack. So the HTTPS client should issue some sort of security warning when this occurs.

Difference between HTTP and HTTPS (HTTP vs HTTPS)