Overview and Usage of HTTPS
– HTTPS is an extension of HTTP that uses encryption for secure communication over a network.
– It uses Transport Layer Security (TLS) or Secure Sockets Layer (SSL) for encryption.
– HTTPS ensures authentication of the accessed website and protects the privacy and integrity of data.
– It protects against man-in-the-middle attacks and encrypts communications between client and server.
– The authentication aspect of HTTPS requires trusted third parties to sign server-side digital certificates.
– As of April 2018, 33.2% of Alexa top 1,000,000 websites use HTTPS as default.
– 70% of page loads, measured by Firefox Telemetry, use HTTPS.
– As of December 2022, 58.4% of the Internet’s most popular websites have a secure implementation of HTTPS.
– Adoption of TLS 1.3 has been slow, with many websites still using the older TLS 1.2 protocol.
Browser Integration and Protection over Insecure Networks
– Browsers display warnings for invalid certificates and present dialog boxes or window-wide warnings.
– Security information is prominently displayed in the address bar.
– Extended validation certificates show the legal entity on the certificate.
– Browsers warn users when visiting sites with a mixture of encrypted and unencrypted content.
– Web filters return security warnings for prohibited websites.
– Public Wi-Fi access points pose risks of eavesdropping and man-in-the-middle attacks.
– Some WLAN networks tamper with webpages and inject malware.
– HTTPS is important for connections over the Tor network to prevent tampering and malware injection.
– Metadata about visited pages can reveal sensitive information when aggregated.
– HTTPS allows the use of newer HTTP versions (HTTP/2, HTTP/3) for improved performance.
Trust and Security Considerations
– Users should trust their device, browser software, and certificate authorities for secure HTTPS connections.
– Valid certificates signed by trusted authorities are essential.
– HTTPS should be used to protect against man-in-the-middle attacks, especially with HTTP Strict Transport Security (HSTS).
– HTTPS security is crucial regardless of the type of Internet connection.
– HTTPS is recommended to protect user privacy and reduce page load times.
Difference from HTTP and Network Layers
– HTTPS URLs use port 443, while HTTP URLs use port 80.
– HTTP is not encrypted, making it vulnerable to attacks.
– HTTPS is secure against attacks, except for deprecated SSL implementations.
– HTTPS refers to using ordinary HTTP over an encrypted SSL/TLS connection.
– HTTPS is designed to protect against man-in-the-middle and eavesdropping attacks.
– HTTPS operates at the application layer, while TLS operates as a lower sublayer.
– TLS encrypts HTTP messages before transmission and decrypts upon arrival.
– HTTPS encrypts all message contents, including headers and data.
– Attackers can only discover the connection between parties, domain names, and IP addresses.
– HTTPS provides security against most attacks, except for a possible cryptographic attack.
Server Setup and Challenges/Limitations
– Web servers need a public key certificate signed by a trusted authority.
– Commercial certificate authorities offer paid SSL/TLS certificates.
– Let’s Encrypt provides free and automated SSL/TLS certificates.
– Let’s Encrypt makes switching from HTTP to HTTPS easy.
– Many web hosts and cloud providers offer Let’s Encrypt certificates for free.
– Public Wi-Fi hotspots often have problems loading HTTPS resources, causing access issues.
– Some websites guarantee accessibility by HTTP, avoiding HTTPS limitations.
– HTTPS can cause difficulties in properly ending the connection on the client-side.
– Manual analysis is required to assess the vulnerability of HTTPS to traffic analysis.
– HTTPS adoption has been slow, with TLS 1.3 facing resistance from bad actors.Sources: https://en.wikipedia.org/wiki/HTTPS
