What is HTTPS?
The SSL/TLS protocol is used for authentication
and encryption in the secure HTTPS (Hypertext Transfer Protocol Secure) version
of the HTTP protocol. RFC 2818 (May 2000) specifies HTTPS, which by default
utilizes port 443 rather than port 80 on HTTP.
Users of websites may safely send sensitive data over the internet, including credit card details, bank account information, and login passwords, thanks to the HTTPS protocol. Because of this, HTTPS is particularly crucial for protecting online activities like banking, shopping, and distant work. Regardless of whether a website exchanges sensitive data with users or not, HTTPS is fast taking the place of other protocols as the industry standard.
How is HTTPS
Work
HTTPS protects messages using an encryption
protocol. Originally known as Secure Sockets Layer (SSL), the protocol is now
known as Transport Layer Security (TLS). This protocol uses an asymmetric
public key infrastructure to secure communications. This kind of security
mechanism encrypts communications between two parties using two separate keys:
1)
The private key is kept secret and is within the authority of the website
owner, as the reader may have surmised. This key is used to decode data that
has been encrypted using the public key and is kept on a web server.
2) The public key is accessible to all users that wish to communicate securely with the server. Data that has been encrypted by public key can only be decrypted by the private key.
Why is HTTPS
important? What happens if a website doesn't have HTTPS?
HTTPS prevents websites from sending their
information in a way that is easily visible to anyone fishing the web. When
data is sent via standard HTTP, the data is split into data packets that can be
easily "sniffed" by free software. This makes communication on an
unsecured medium, such as a public Wi-Fi network, highly vulnerable to
interception. In fact, all HTTP communication is in plain text, making it
highly accessible to anyone with the right tools and vulnerable to attack.
HTTPS encrypts traffic so that even if packets
are sniffed or otherwise hijacked, they are intercepted by bad actors . Let's
see an example:
Before encryption:
This is a text string that is fully readable.
After encryption:
ITM0IRyiEhVpa6VnKyExMiEgNveroyWBPlgGyfkflYjDaaFf/Kn3bo3OfghBPDWo6AfSHlNtL8N7ITEwIXc1gU5X73xMsJormzzXlwOyrCs+9XCPk63Y+z0=
In websites without HTTPS, it is possible for
Internet service providers (ISPs) or other intermediaries to inject content
into webpages without the approval of the website owner.. This usually takes
the form of advertising, where a revenue-generating ISP inserts a paid
advertisement on its customers' websites. Not surprisingly, when this happens,
the profits from the ads and the quality control of those ads are not shared with
the site owner. HTTPS removes the ability of unverified third parties to insert
advertisements into web content.
For a
complete list of HTTPS benefits, see Why use HTTPS?
What port does HTTPS use?
HTTPS uses port 443. This distinguishes HTTPS
from HTTP, which uses port 80.
(In networks, a port is a virtual software-based point where network connections begin and end. All computers connected to a network have multiple ports to receive traffic. Each port is associated with a specific process or service, and different protocols use different ports.)
How else is HTTPS different from HTTP?
Technically, HTTPS is not a separate protocol from HTTP. It simply uses
TLS/SSL encryption via the HTTP protocol. HTTPS is based on the transmission of
TLS/SSL certificates that confirm that a particular service provider is who
they say they are.
When a user connects to a website, the website sends its SSL certificate, which contains the required public key . to start a secure session. The two computers, client and server, then go through a process called the SSL/TLS handshake, a round-trip communication used to establish a secure connection. To learn more about encryption and the SSL/TLS handshake, see What happens in the TLS handshake.
How does a site start using HTTPS?
Many web hosting providers and other services offer TLS/SSL certificates for a fee. These certificates are often shared between multiple clients. More expensive certificates are available that can be registered separately for specific network assets.
Every website using Cloudflare gets free HTTPS with a shared certificate (the technical term for this is a multi-domain SSL certificate). Creating a free account ensures that your online assets receive constantly updated HTTPS protection. You can also check out our paid plans for individual certifications and other features. Either way, web assets get all the benefits of using HTTPS.