HTTP/S or HTTPS is simply HTTP over SSL. What is important to remember about HTTP/S is that it isn't a new type of protocol, but is two protocols: HTTP and SSL. Because of this, the same individual components of each protocol apply. As we saw previously with SSL, the data transmitted is encrypted between the client and the server.
HTTP/S is the protocol responsible for encryption of traffic from a client browser to a Web server. HTTP/S uses port 443 instead of HTTP port 80. When a URL begins with "https://," you know you are using HTTP/S. Both HTTP/S and SSL use a X.509 digital certificate for authentication purposes from the client to the server.
HTTP/S is often used for secure transmissions over the Internet, such as during online transactions where banking or credit card information is exchanged between a client and server. Because the data is encrypted, it provides protection from eavesdroppers or MITM attacks, which could result in unwanted parties accessing the data. It may also be used on intranets, where secure transmission across an internal network is vital.
As mentioned,TLS is the successor to SSL, and is a newer version that has minor differences to its predecessor. Like SSL, it provides authentication between clients and servers that require privacy and security during communications.The clients and servers that use SSL are able to authenticate to one another, and then encrypt\decrypt the data that's passed between them.This ensures that any data isn't subject to eavesdropping, tampered with, or forged during transmission between the two parties.
As you might expect, it is often used in situations where sensitive data is being sent between clients and servers. A common example would be online purchases, where credit card numbers and other personal information (such as the person's name, address, and other shipping information) are sent to an e-commerce site. TLS and SSL is enabled in IE through the Advanced tab of Internet Options (which is accessed by clicking Start | Settings | Control Panel | Internet Options). By scrolling to the Security section in the Settings pane, you will see checkboxes for enabling SSL 2.0, SSL 3.0 and TLS 1.0). If they are checked, they are enabled, but if they aren't checked, they are disabled. Because SSL 3.0 and TLS 1.0 have succeeded SSL 2.0, you will generally find that this older version is disabled.
It is important not to confuse HTTP/S with Secure HTTP (S-HTTP). Although they sound alike, they are two separate protocols, used for different purposes. S-HTTP is not widely used, but it was developed by Enterprise Integration Technologies (ETI) to provide security for Web-based applications. S-HTTP is an extension to the HTTP protocol. It is a secure message-oriented communications protocol that can transmit individual messages securely (whereas SSL establishes a secure connection over which any amount of data can be sent). S-HTTP provides transaction confidentiality, authentication, and message integrity, and extends HTTP to include tags for encrypted and secure transactions. S-HTTP is implemented in some commercial Web servers and most browsers.An S-HTTP server negotiates with the client for the type of encryption that will be used, several types of which exist.
Unlike SSL, S-HTTP does not require clients to have public key certificates, because it can use symmetric keys to provide private transactions.The symmetric keys are provided in advance using out-of-band communication.
In this tutorial:
- Web Based Services Security
- Web Security
- Managing Access Control
- Handling Directory and Data Structures
- Eliminating Scripting Vulnerabilities
- Logging Activity
- Finding Rogue Web Servers
- Stopping Browser Exploits
- Web Spoofing
- Web Server Exploits
- SSL and HTTP/S
- Instant Messaging
- Text Messaging and Short Message Service (SMS)
- Web-based Vulnerabilities
- Dangers Associated with Using ActiveX
- Protection at the Network Level
- Programming Secure Scripts
- Understanding Code Signing
- Buffer Overflows
- Making Browsers and E-mail Clients More Secure
- Securing Web Browser Software
- Resulting from Weak CGI Scripts
- FTP Security
- Secure Copy
- FTP Sharing and Vulnerabilities
- Directory Services and LDAP Security
- Securing LDAP