HTTPS

HTTPS (Hypertext Transfer Protocol Secure), the secure update of HTTP, uses an authentication process to encrypt the connection between web browsers (or clients) and servers. This process overlays Transport Layer Security (TLS), or what used to be SSL, onto HTTP.

How does HTTPS work?

TLS uses symmetric cryptography to transfer data between a browser and a website. This involves a handshake process that verifies the server’s digital certificate, which provides evidence it can provide a reliable public key. A certificate authority verifies that the server is trustworthy by signing their digital certificate. Once the server has been authenticated, it generates a random session key that encrypts the data transfer between server and browser for the duration of the connection, or session.

HTTPS can also include mutual authentication, where the client or user is required to verify their identity as well. This is important when accessing business accounts or files that should only be viewed by specific users. HTTPS has become so important that some browsers, notably Google Chrome, notify users directly if a browser only uses HTTP. Even so, not all websites (even ones that would benefit from extra security) have adopted HTTPS. The protocol is gaining popularity, even among websites that don’t process transactions or sensitive information.

What is forward secrecy?

Forward secrecy is a feature of HTTPS that further increases security. In the past, an encryption key would be used for multiple browser sessions. If a hacker finally managed to crack the encryption key, which though difficult is possible, they’d have access to all of the web sessions or transactions that used that key. But forward secrecy ensures that every session has its own key. Perfect forward secrecy generates a new encryption key for every new online transaction, even if that’s only a page refresh or a new message within an app.

Jenna Phipps
Jenna Phipps
Jenna Phipps is a writer for Webopedia.com, Enterprise Storage Forum, and CIO Insight. She covers data storage systems and data management, information technology security, and enterprise software solutions.

Related Articles

RSA SecurID

RSA SecurID is multi-factor authentication (MFA) technology used to protect network resources, such as applications and websites. Its purpose is to mitigate risk and...

IoT Security

IoT (Internet of Things) security helps enterprises protect their networks from threats exacerbated by internet-connected devices, which often aren't designed with advanced security features...

Identity and Access Management (IAM)

Identity and access management (IAM), also known as identity management (IdM), is a combined term used to create and manage digital and electronic user...

FTP

The File Transfer Protocol (FTP) is a communication protocol providing for the transfer of files between remote devices and a server across a local...

Agile Project Management

Agile project management enables business teams to approach their projects and tasks with...

Private 5G Network

A private 5G network is a private local area network (LAN) that utilizes...

Rich Communication Services (RCS)

Rich communication services (RCS) is a mobile messaging approach in which session initiation...