A guide to how HTTPS works: some things to think about from the webmaster’s perspective and the user’s point of view. When we talk about secure browsing on the Web, we generally refer to the use of the HTTPS protocol ( HyperText Transfer Protocol over Secure Socket Layer ): the presence of the closed padlock in the initial part of the address bar of the Web browser confirms that the site is using HTTPS.
HTTPS was once only used by banks and on more significant company sites, but since August 2014, when Google referred to the use of HTTPS as a then-soft ranking factor, its adoption has become more widespread. Today, most web pages use HTTPS even when the site does not handle personal information or sensitive data.
HTTPS, How It Was Born And What It Is For
The idea of HTTPS can be dated back to 1994 and was by Netscape Communications: HTTPS can be considered as a sort of advanced version of HTTP or the protocol historically used for the exchange of information on the Web between client and server. The HTTP protocol focuses on the information exchange mechanisms that distinguish hypertexts (such as Web pages) but does not integrate any additional security level: the data is exchanged unencrypted without resorting to encryption.
They are, therefore, potentially undetectable, monitorable, modifiable and damageable by third parties. With HTTPS, we wanted to manage the problem by allowing the web browser to exchange data with the remote server in encrypted form. Since the data between the client and the web server is encrypted, any malicious person cannot have access to the transferred information or damage it: so-called MITM attacks, man-in-the-middle is avoided ).
We have already explained how encryption works and why it is essential. The additional level of encryption used by HTTPS to protect information flowing from client to server and vice versa is provided by particular cryptographic protocols: SSL ( Secure Sockets Layer ) Some versions of these cryptographic protocols are now considered outdated and insecure because they have repeatedly proved to be subject to attacks.
SSL as a whole is outdated even if colloquially; this acronym is still frequently used to refer to the use of encryption for the exchange of data between remote hosts. TLS 1.3 and TLS 1.2 are now the only protocols that would be good to use together with HTTPS. Support for TLS 1. x is mainly maintained by websites that do not handle sensitive information to extend page compatibility even to older browsers (which do not support TLS 1.2 and 1.3) The SSL Server Test site lets you know everything about using HTTPS on any website.
HTTPS And The Digital Certificate
Together with HTTPS, a digital certificate is used, which mainly serves to certify the identity of the website visited. The digital Certificate is issued by a certification authority that ascertains the applicant’s identity, possession or ownership of the domain name and issues a document to be exposed to connected clients.
Based on the checks that the certificate authority carries out before issuing the Certificate, various digital certificates are issued: DV ( Domain Validated ), OV ( Organization Validated ) and EV ( Extended Validation ). Certificates also have different issues and renewal costs, depending on the specific type.
A DV certificate is excellent for typical uses, which even a service like Let’s Encrypt provides at no cost. In this case, the certification authority limits itself to checking only that the applicant has the right to manage the domain name. Once upon a time, web browsers showed a different graphic solution at the beginning of the browser address bar: this scheme was used to explain the type of Certificate better when loading the HTTPS page.
Now, however, the closed gray padlock is used to indicate the use of a valid and unexpired digital certificate regardless of its type. The user can optionally click on the padlock and then on Certificate (on More information in the case of Firefox) to obtain more details about the digital Certificate in use.
How To Get A TLS Certificate To Use With HTTPS
You can contact a certification authority or the chosen provider to obtain a digital certificate to be used on your website to protect data in transit with HTTPS. Some vendors allow you to instantly receive a DV certificate for the site you administer by simply using a convenient web interface.
Those who use a dedicated server or a cloud service can refer to the Certbot module of EFF ( Electronic Frontier Foundation ), which allows the generation of Let’s Encrypt digital certificates for the sites configured on the Web server. The digital certificate generation operation is generally manageable from a command prompt, the terminal window and the command line.
By making the appropriate selections in correspondence with the My HTTP website running, you get the instructions for generating the digital Certificate to activate HTTPS and the instructions for proceeding with the periodic renewal of the Certificate itself. Let’s Encrypt certificates expire quarterly but can be renewed automatically by creating a scheduled task with the cron command in Linux or on Windows Server, with a bit of work, using Task Scheduler.
We also saw this in the article on how to get a free digital certificate for HTTPS. Various methods can be used to check the digital certificates’ expiration date on your websites, including a script that extracts the expiration dates for all the administered domain names. If you are a website owner, please refer to the article on the importance of switching from HTTP to HTTPS for some practical tips.
HTTPS Errors On Websites: What They Depend On
With the Not specific indication that may appear at the beginning of the browser address bar, web pages that still use HTTP instead of HTTPS are signaled, regardless of whether they handle personal data or use a login form. We have seen what to do in case of an unsafe site in Chrome. The BadSSL test site shows the errors you might occasionally get when visiting HTTPS pages.
By clicking on expired, wrong. Host, self-signed, untrusted-root and revoked, for example, you can check how the chosen web browser behaves when you visit, respectively, an HTTPS page with an expired certificate, which refers to another domain name, self-signed (therefore without going through a certification authority) or issued by an untrusted root entity.
By clicking on tls-v1-0 and tls-v1-1, you can check any warning shown by the browser if you try to visit an HTTPS page that uses only the insecure TLS 1. x protocols. If you use an application within the local network that integrates features of a Web server, the ERR_CERT_AUTHORITY_INVALID error very often appears because the digital Certificate was generated on your own.
This does not mean that the data does not travel in encrypted form: it is protected and cannot be read or modified along its route. There is simply no proof of the identity of the person who set up the web server and made an application available via HTTPS. For applications that run locally, for example, on an intranet or are used for testing purposes, the launch can be safely ignored and “navigated” continued.
Mixed Content And The Changing Attitude Of Web Browsers
Major browsers have long declared war on pages hosting mixed content. This term refers to the insertion of objects called via HTTP (therefore unencrypted) from HTTPS pages. The presence of mixed content causes the padlock to disappear on HTTPS pages because any malicious content retrieved via HTTP could modify the information contained in the HTTPS page with the possibility, for example, of intercepting usernames and passwords.
In this regard, even login forms that reference scripts via HTTP are immediately reported to the user. Also, from BadSSL, you can check (search for mixed on the page) the web browser’s behavior in managing diverse content. When dealing with mixed content, the behavior of browsers is changeable and tends to be increasingly intransigent.
Chrome, for example, refrains from downloading any file via HTTP but does not inform the user in any way: the result is that sometimes you click on a link that doesn’t work because the file to download is directly called (or via redirection) using an HTTP URL.