HTTPS (Hypertext Transfer Protocol Secure), the secure update of HTTP, uses an authentication process to encrypt the connection between web browsers (or clients) and servers. This process overlays Transport Layer Security (TLS), or what used to be SSL, onto HTTP.
How does HTTPS work?
TLS uses symmetric cryptography to transfer data between a browser and a website. This involves a handshake process that verifies the server’s digital certificate, which provides evidence it can provide a reliable public key. A certificate authority verifies that the server is trustworthy by signing their digital certificate. Once the server has been authenticated, it generates a random session key that encrypts the data transfer between server and browser for the duration of the connection, or session.
HTTPS can also include mutual authentication, where the client or user is required to verify their identity as well. This is important when accessing business accounts or files that should only be viewed by specific users. HTTPS has become so important that some browsers, notably Google Chrome, notify users directly if a browser only uses HTTP. Even so, not all websites (even ones that would benefit from extra security) have adopted HTTPS. The protocol is gaining popularity, even among websites that don’t process transactions or sensitive information.
What is forward secrecy?
Forward secrecy is a feature of HTTPS that further increases security. In the past, an encryption key would be used for multiple browser sessions. If a hacker finally managed to crack the encryption key, which though difficult is possible, they’d have access to all of the web sessions or transactions that used that key. But forward secrecy ensures that every session has its own key. Perfect forward secrecy generates a new encryption key for every new online transaction, even if that’s only a page refresh or a new message within an app.