Who has never been afraid to put their credit card details on a website? I have and I guess you have felt that way before, too. Having this thought is, without a doubt, something very common in our lives, since almost everything today can be done in the virtual world – a situation that became even more evident during the Covid-19 pandemic.
Our dependence on the virtual world, however, has a dark side: the cybercriminals who take advantage of the Internet to steal our data and, if they succeed, our money, too.
That's why it’s crucial to be very attentive to which websites we visit and the security they offer us. An easy way to do this is to check if the acronym HTTPS appears on the website's address.
HTTPS is much more than an acronym, and it's extremely important to have safe access to the Internet. So in this blog post, we will explain what HTTPS is and how it works.
What Is HTTPS?
HTTPS is the acronym for Hypertext Transfer Protocol Secure. As you can see, the difference regarding HTTP is a matter of security. This means that the basic function of the HTTPS protocol is to provide a secure channel for the transmission of information between the user and the server, or between servers, ensuring that data isn't intercepted and interpreted by hackers. In other words, HTTPS is the secure version of the HTTP protocol.
Origin of HTTPS
Data transmission began with HTTP protocol, but one of the things that HTTP doesn't have is a way to protect data from the interpretation of third parties. Making an online purchase or a bank transaction using this protocol is extremely dangerous, since an unprotected connection with this kind of information is an easy bait for criminals.
Seeing this situation as a breach and also an opportunity, Netscape Communications Corporation created a security protocol in 1994 for transmitting credit card data securely during a network connection. And that's how HTTPS was born.
HTTPS: A Matter of Security
You may have noticed that before a website's address, at the beginning of your browser's address bar, a closed padlock will sometimes appear. This padlock shows that the browser has a security certificate, which means that your data is protected.
HTTPS Basic Security Principles
The HTTPS protocol is based on three basic security principles:
- Confidentiality - consists of ensuring that the data transmitted is only accessed and viewed by those who are authorized.
- Integrity - certifies that the data that has been transmitted remains original, complete and unchanged throughout the journey, from the beginning to the end of the connection.
- Authenticity - certifies that any agents requesting access to protected information are really who they claim to be.
How Does HTTPS Work?
In a very simple way, the HTTPS protocol encrypts data so that communication is secure. To implement encryption and apply other security factors, there are two protocols: SSL (Secure Sockets Layer) and TLS (Transport Layer Security).
Following are some important elements of the HTTPS protocol security package.
Encryption – the technique of writing messages in code – is the key element of HTTPS security. It prevents the text transmitted during the communication process from being in its pure form and transforms it into a combination of random characters, not permitting data to be read if the transmission is intercepted by a third party.
There are two types of encryption, which vary according to the type of key used: symmetric encryption and asymmetric encryption.
In symmetric encryption, two identical keys are used, both to encrypt and to decrypt the message – these identical keys are also known as session keys.
To use an analogy, it's as if the sender (client) and the recipient (server) exchanged a letter and the text written there was in a different language that only the two of them know how to translate. If anyone else has access to this message and wants to read what is written there, they won't understand anything. Instead, they will only see letters, numbers and symbols in an unreadable combination.
In this method, the sender must share the key with the recipient, so that the end user can interpret the message. But this turns out to be a vulnerability, since the receiver needs the owner to hand the key over in order to decrypt it. This could be done in person, but it would be complicated if they are far away, or by e-mail or online messages, which could also be risky, as this means the key could be intercepted. Although it is an option for simpler and less critical data, sharing keys in symmetric cryptography is a risk. Instead, sensitive data must be exchanged on a secure channel.
Unlike the previous method, asymmetric encription – also known as public key cryptography – uses a unique pair of different keys, one public and one private, that are totally independent of each other. This change ended up eliminating the vulnerability regarding the sharing of the (de)coding secret.
As the name says, the public key is available to everyone, so anyone can have access to it. The private key is exclusively for a user or an institution, and it must be hidden. To better understand this concept, imagine that the public key is your current bank account number, which anyone can get to know. The private key is the password you use to make transactions in your bank account; that is, it's information restricted to the owner.
But how does the encryption process take place, even though the keys are different? What happens is that to encrypt the data with one key, either public or private, it's only possible to decrypt it with the other key of the pair. That is, what one encrypts, the other decrypts.
When the public key is used to encrypt the original message and the private one is used to decrypt it, the intention is to guarantee the confidentiality of the message, since only the recipient can interpret the information. In turn, when encryption is done with the private key and decryption with the public one, the intention is to guarantee authenticity, since no one else but the owner has access. An example of this is the digital signature.
To summarize, while asymmetric encryption is more secure, symmetric encryption is faster. They can even be used together, in a combination called hybrid encryption.
In the 1990s, Netscape Communications Corporation created the SSL (Secure Sockets Layer) protocol as a standard web security certificate. SSL adopts a security awareness protocol to establish secure communication between clients and servers.
Regarding its architecture, SSL is a layer of the network protocol and it's located between the application and the transport layer, as displayed below.
In SSL protocol, the client and server have the algorithms that will be used in encryption and the session security keys defined. From that, the client is able to authenticate the server and the server can request the client's certificate.
In this protocol, the request-response information exchanged during communication using the HTTPS – for example, bank details, passwords and user names in an access authorization, and the website to be visited – are both encrypted and decrypted by SSL. Only the two parties involved in exchanging messages can interpret them. Thus, even if a hacker intercepts the information, it will be impossible to interpret or modify it.
The information SSL certificate verifies is:
- the user, institution, or device to whom the certificate was issued;
- the issue and expiration dates;
- the domain name;
- the associated subdomains; and
- the public key.
In other words, if the browser is enabled for the SSL protocol and the server has a digital security certificate, they will be able to communicate securely using SSL. If this doesn't apply, the information exchange isn't protected. Even if you want to access a website that doesn't have this certificate, Google Chrome shows you a not secure warning with the following message: "your connection is not private."
The SSL protocol had the following versions:
- SSL 1.0 - the 1994 original version had several vulnerabilities and security flaws, and because of this, it wasn't presented to the public;
- SSL 2.0 - this later version was launched in 1995 and had improvements over its predecessor, but still had flaws; and
- SSL 3.0 - the 1996 version was improved with the reformulation of the protocol architecture, allowing updates and security reviews.
Despite all the changes, the latest version of the SSL protocol still had vulnerabilities. It also didn't have the capacity required to handle the massive traffic increase and the growing demand for data security.
TLS (Transport Layer Security) is simply the successor version of SSL, but more secure and up-to-date. Its function is also to guarantee security – privacy, integrity, and data authenticity – during network communication.
The change in nomenclature from SSL to TLS was implemented to disassociate TLS protocol from Netscape, the creator of SSL. TLS has gone through the versions TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), and TLS 1.3 (2018), which is the most recent version.
The TLS protocol operates between the application and transport layers and has two layers: the Registration Protocol and the Handshaking Protocols.
TLS uses the Registration Protocol to encapsulate messages from application protocols such as HTTP, FTP (File Transfer Protocol), and SMTP (Simple Mail Transfer Protocol), so it is widely used in browsers, emails, text messages and voiceover IP (VoIP). Basically, the Registration Protocol performs the necessary operations to ensure the security of the connection.
The Handshake Protocol acts in the negotiation of security parameters. It negotiates the algorithms that will be used in encryption and the cryptographic keys before the transmission or the reception of data by an application protocol. In addition, it allows authentication between client and server.
Difference Between SSL and TLS
The main difference between SSL and TLS concerns the handshake and its speed in each protocol. The typical SSL handshake involves several round trips as authentication and key exchange occur, adding latency to connections.
In TLS, the handshake is faster, since each new update focuses on reducing latency. In its latest version, TLS 1.3, the handshake is done with a single round trip. One of the things that allows this change is the reduction in the number of encryption sets it supports, from four to two algorithms.
Why Use HTTPS?
The main reasons for using the HTTPS protocol are:
- More security
The HTTPS protocol guarantees confidentiality, authenticity, and data integrity.
- More credibility
If you have a company, you should be extra careful about the security of your website, because it reflects the trust that the customer has in your website, and therefore, in the credibility of your brand. Having an HTTPS domain shows the customers that you are concerned about their security besides yours.
- Better ranking on Google
Another very important reason for adopting HTTPS is that it's one of the factors that Google considers when ranking the website and displaying the results of a search.
How To Protect Your Website
The Internet offers us so many benefits, but being connected is also a risk, making us subject to many cybercrimes. Interception and data theft during the transmission of information is one of the worst things that can happen to us, since it can lead to substantial economic losses.
Even though we have to deal with this insecure scenario on a daily basis, it's possible to get prepared against cyberattacks and preserve the security of your website and of your customers. Azion's Edge Firewall, our security solution package with DDoS Protection, Network Layer Protection and Web Application Firewall, can provide this protection.
Azion's Web Application Firewall
Our Web Application Firewall (WAF) operates specifically in the process of exchanging information during the HTTPS protocol. One of the actions it takes is comparing every HTTP/HTTPS request against a highly customizable set of blocking rules. The request then receives a score based on a requirements-based scoring methodology. On the basis of the score it gets, it will either be released or blocked directly by our edge servers before the threat can reach your web application.
Here at Azion, we believe that cybersecurity is a crucial element for a company's success. So, if you want to protect your company's website and your users with the most advanced cybersecurity, sign up for a free account or talk to our sales team.
HTTPS: A Revolution
Technological evolution has brought to the virtual world, especially due to smartphones and IoT, many practices that were relatively recently done in person. One of these practices, which is increasingly getting new followers, is making online transactions such as purchases or bank transactions. That is exactly why cybersecurity is a critical issue for both ordinary users and businesses owners and requires our full attention, because a breach can literally lead to catastrophe.
Therefore, one of the greatest benefits of the HTTPS protocol is that it has enabled all these actions to be done in a safer way, increasing the trust that the user and the companies have on the Internet. This is probably one of the main triggers for the growth and popularization of the Internet and e-commerce.
More than being a synonym of network security and a technology milestone, HTTPS can also be considered an important piece of social relations gear since modern behavior – and practically everything in our life – unquestionably depends on this communication tool called the Internet.