What is HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) Definition
Hypertext Transfer Protocol Secure (HTTPS) refers to a more secure version of HTTP, or Hypertext Transfer Protocol. HTTP is the primary method by which data is sent between a web browser and the website the user is trying to reach. HTTP has no inherent security measures. HTTPS is different in that it uses encryption to make the data transfer safer.
This is important, especially because users often need to send sensitive data, such as login credentials for email or bank accounts. If you are using a web browser like Chrome, websites that use HTTPS have a padlock inside the Uniform Resource Locator (URL) bar. This tells the user the page is secured by HTTPS.
How Does HTTPS Work?
In examining HTTP vs. HTTPS, it is important to note that HTTPS makes use of an encryption protocol that takes the original communication and encrypts it. The protocol, transport layer security (TLS), makes communications secure by using asymmetric public key infrastructure, which is a combination of a public key and a private key.
The private key is managed by the website’s owner, and it is kept private. The private key resides on a web server, and its role is to decrypt data that has been encrypted using the public key. The public key can be obtained by anyone who wants to exchange data with the server in a secure way. Once information is encrypted by the public key, only the private key can be used to decrypt it.
When a user connects to a webpage, the page sends the user its secure sockets layer (SSL) certificate. This has the public key needed to begin a secure session. The client and the server, the two computers interacting with each other, undergo a process known as an SSL/TLS handshake. This consists of several communications that ensure a secure connection between the client and the server. TLS provides users with three key layers of protection.
Because HTTP was first designed to be a clear-text protocol, it is easy for a bad actor to eavesdrop on connections and execute man-in-the-middle (MITM) attacks, which involve a hacker tapping into a communication and either collecting information or changing it.
With SSL/TLS encryption, HTTPS can stop data from being intercepted by someone other than the client or server. Using the SSL/TLS handshake and the public key, communication occurring in an encrypted session can be set up between the client and server using a secret key.
A website’s SSL/TLS certificate has a public key, which is used by the web browser to make sure that what is being sent from the server has a digital signature with the appropriate private key. As long as the server’s certificate is signed by a trusted certificate authority, the browser will assume that the identification information in the certificate has been marked as “valid” by a third party.
When you send a document to a browser using an HTTPS server, it has a digital signature the browser uses to tell whether it has been changed by a third party or corrupted in some other way. The server generates a cryptographic hash of the contents of the document. This gets included along with the digital certificate. The browser can then solve that hash, which proves the document is authentic and unaltered.
Differences Between HTTP and HTTPS
HTTPS is more secure than HTTP. When you use HTTP, you are putting your data at risk because it can be intercepted and read as plain text. With HTTPS, your data gets encrypted, making it useless to anyone who intercepts it.
See the example below to get an idea of how encryption is applied to text:
The following table illustrates the differences between HTTP and HTTPS:
|URL begins with http://||URL begins with https://|
|Unsecured communications||Secure communications|
|Transfers data as hypertext||Transfers data as encrypted data|
|Uses port 80||Uses port 443|
|Does not require certificates||Requires SSL/TLS certificates|
|Does not have the lock icon||Has the lock icon|
How to Switch Your Website to HTTPS
Making the move from HTTP to HTTPS is about building trust with your users. When users try to access your site, their browser may flag your page as insecure. A user will naturally be less likely to trust their communications with your website and the content of your pages if they are told it is insecure.
To switch your site to HTTPS, do the following:
- Procure an SSL/TLS certificate. These can be purchased via your web hosting provider. There are several different types, and they range from less than $50 to over $100 per year.
- Install the certificate on your web hosting account. This can be done by your web host. They will install and then activate it to make sure it functions properly.
- Check to make sure that your internal links direct to HTTPS. This is important because you do not want to confuse your visitors. If some pages are compliant with HTTPS while others are not, they will appear differently in your users' browsers. Also, the algorithms that search engines use can level penalties against websites with a mix of HTTP and HTTPS pages. You can use a site crawl tool to check whether your internal links are pointing to HTTPS.
- Set up 301 redirects from HTTP to HTTPS. This alerts search engines that your site needs to be reindexed.
Strengthen Your Security Strategy and Grow Visibility of HTTPS Traffic
Even though HTTPS provides a level of security, the encrypted traffic needs the proper TLS decryption strategies to be safe from exposure. With the ever-expanding amount of HTTPS traffic, without a TLS decryption strategy, you may be rendered blind to encrypted HTTPS traffic. This leaves you exposed to data loss and malware campaigns. FortiGate is a next-generation firewall (NGFW) that provides security-focused networking to gain complete visibility into the threats, applications, and networks that matter to your organization.
To take advantage of deep HTTPS/SSL inspection, you can use the Fortinet Secure Web Gateway (SWG). It incorporates web filtering that can be set up according to your organization’s internet access policies. This way, when users browse on your network, they can only access sites secured with HTTPS. In addition, the Fortinet SWG filters out malware and other unwanted software if a user clicks on a malicious link or site. Even if a user is tricked into clicking in the wrong place, your network is protected from infiltration.
With the Fortinet SWG, you also do not have to compromise performance. You get a safer user experience without having traffic unduly slowed down in the process. With the combination of the Fortinet NGFW and SWG, your organization can have a fully integrated security solution.