What is HTTPS and How it works?

Date: THURSDAY, 20th June 2024 

Time: 5:30 PM to 6:00 PM

Topic 3:  HTTPS

Software: FileZilla, WinSCP, Websites

HTTPS (Hypertext Transfer Protocol Secure) is an encrypted version of the HTTP protocol that secures communication and data transfer between a web browser and a website server. It provides three main security features:

1. Encryption: HTTPS encrypts the data transmitted between the browser and server using SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption protocols. This prevents eavesdroppers from intercepting and reading the data, protecting sensitive information like login credentials, payment details, and browsing activity.

2. Authentication: HTTPS authenticates the website's identity through the use of SSL/TLS digital certificates issued by trusted Certificate Authorities (CAs). These certificates verify that the website is legitimate and prevent man-in-the-middle attacks.

3. Data Integrity: HTTPS ensures data integrity by preventing data from being modified or corrupted during transfer, as the encrypted data can only be decrypted by the intended recipient with the correct private key.

How HTTPS Works

The HTTPS protocol works through the following steps:

1. The browser attempts to connect to a website using HTTPS (typically on port 443).

2. The website's server responds by sending its SSL/TLS certificate containing its public key.

3. The browser verifies the certificate's validity by checking if it was issued by a trusted CA and if it matches the website's domain.

4. The browser and server perform an SSL/TLS "handshake" to establish an encrypted connection and exchange encryption keys.

5. The browser and server exchange data that is encrypted using the shared session key, which can only be decrypted with their respective private keys.

6. The server decrypts the request, processes it, and sends back the encrypted response.

7. The browser decrypts and displays the website content.

Regarding which servers provide HTTPS service, many web hosting providers and services offer SSL/TLS certificates for a fee to enable HTTPS on websites. Some providers like Cloudflare even offer free HTTPS for all websites using their service. Website owners can also purchase SSL/TLS certificates from trusted Certificate Authorities like DigiCert, GoDaddy, or Comodo to secure their websites with HTTPS.

Configuring HTTPS on Web Servers

To configure HTTPS on a web server, you need to obtain a digital certificate and install it on the server. Here are the general steps for Windows and Linux web servers:

Windows Web Server (IIS)

1. Obtain an SSL/TLS certificate from a trusted Certificate Authority (CA) or create a self-signed certificate for testing purposes.

2. Install the certificate in the "Server Certificates" store on the Windows server.

3. Configure the IIS website to use HTTPS by binding the certificate to the website.

4. Ensure that the website is accessible via HTTPS (e.g., https://www.example.com).

Linux Web Server (Apache or Nginx)

1. Obtain an SSL/TLS certificate from a trusted Certificate Authority (CA) or create a self-signed certificate for testing purposes.

2. Install the certificate and private key files on the Linux server.

3. Configure the web server (Apache or Nginx) to use HTTPS by specifying the certificate and private key file locations in the server configuration file.

4. Ensure that the website is accessible via HTTPS (e.g., https://www.example.com).

Security Certificates and Purchasing

A security certificate, also known as an SSL/TLS certificate, is a digital file that binds a cryptographic key to an organization's details, such as domain name, company name, and location. These certificates are issued by trusted Certificate Authorities (CAs) after verifying the organization's identity.

To purchase a security certificate for an HTTPS website, you can follow these steps:

1. Choose a reputable Certificate Authority (CA) like DigiCert, Comodo, GoDaddy, or Let's Encrypt (for free certificates).

2. Determine the type of certificate you need (e.g., Domain Validation, Organization Validation, or Extended Validation) based on your website's requirements and the level of identity verification needed.

3. Generate a Certificate Signing Request (CSR) on your web server, which contains information about your organization and the domain(s) for which you want the certificate.

4. Submit the CSR and any required documentation (e.g., business registration documents) to the CA.

5. Pay the certificate fee, if applicable (prices vary based on the CA, certificate type, and validity period).

6. Once the CA verifies your information and issues the certificate, install it on your web server following the instructions provided by the CA.

It's important to note that security certificates have an expiration date, typically ranging from one to three years, after which you'll need to renew the certificate to maintain HTTPS functionality on your website.