Https Wiki resources & Https information at HealthHaven.com
advertise
toolbar
services
publishers
database
membership
Dr. Paul
Search  for    ?
web dir image video media news gallery wiki shop 
about
HealthBot
stats
live show
health store
shirts
JOIN/LOGIN
Https:
HTTP
Persistence · Compression · SSL
Headers
ETag · Cookie · Referer
Status codes
200 OK
301 Moved permanently
302 Found
303 See Other
403 Forbidden
404 Not Found
This box: view  talk  edit

Hypertext Transfer Protocol over Secure Socket Layer or https is a URI scheme used to indicate aitive communication such as payment transactions and corporate information systems.

Contents

[edit] How it works

For more details on this topic, see Transport Layer Security#How it works.

Strictly speaking, https is not a separate protocol, but refers to the combination of a normal HTTP interaction over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. This ensures reasonable protection from eavesdroppers but is weak with man-in-the-middle attacks.

An https: URL may specify a TCP port; if it does not, the connection uses port 443 (unsecured HTTP typically uses port 80).

To prepare a web-server for accepting https connections the administrator must create a public key certificate for the web-server. These certificates can be created for Unix based servers with tools such as OpenSSL's ssl-ca [1] or SuSE's gensslcert. This certificate must be signed by a certificate authority of one form or another, which certifies that the certificate holder is indeed the entity it claims to be. Web browsers are generally distributed with the signing certificates of major certificate authorities, so that they can verify certificates signed by them.

Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet), as they can trivially add their own signing certificate to those shipped with the browser.

Some sites, especially those operated by hobbyists, use self-signed certificates on public sites. Using these provides protection against simple eavesdropping, but unlike a well-known certificate, preventing a man-in-the-middle attack with a self-signed certificate requires the site to make available some other secure method of verifying the certificate.

The system can also be used for client authentication, in order to restrict access to a Web server to only authorized users. For this, typically the site administrator creates certificates for each user which are loaded into their browser. These normally contain the name and e-mail address of the authorized user, and are automatically checked by the server on each reconnect to verify the user's identity, potentially without ever entering a password.

[edit] Limitations

The level of protection depends on the correctness of the implementation by the web browser and the server software and the actual cryptographic algorithms supported.

https only protects data in transit from eavesdropping and not man-in-the-middle attacks. Once data arrives at its destination, it is only as safe as the computer it is on. Gene Spafford states that it is like "using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box."[2]

Also, https is insecure when applied on publicly available static content. The entire site can be indexed using a web crawler and the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.[3] This allows an attacker to have access to the plaintext (the publicly available static content), and the encrypted text (the encrypted version of the static content).

Because SSL operates below http and has no knowledge of higher level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination.[4] This means that in most cases it is not feasible to use name-based virtual hosting with https. RFC-3546 TLS Extensions describes a solution called Server Name Indication (SNI), although many older browsers don't support this extension. Support for SNI is available since Firefox 2.0, Opera 8, Mozilla 1.8, and Internet Explorer 7 on Windows Vista.[5][6]

With the newer Internet Explorer 7, Microsoft has increased the warnings sent when certificates are not registered: whereas previously only a "security advice" pop up appeared, which differentiated between name, source and run time of the certificate, now a warning is displayed across the entire window, which suggests not to use the web site. Therefore, a certificate which is not registered in the browser is not useable for mass applications. Certificates which are registered in the root chains cost between US$14.99 and $1,200 per year.

[edit] See also

[edit] References

  1. ^ OpenSSL: Contribution, Misc
  2. ^ Gene Spafford's Personal Pages: Quotable Spaf
  3. ^ Pusep, Stanislaw (07-31-2008). "The Pirate Bay un-SSL" (in en). Retrieved on 2008-08-13.
  4. ^ Apache FAQ: Why can't I use SSL with name-based/non-IP-based virtual hosts?
  5. ^ Server Name Indication (SNI)
  6. ^ Mozilla 1.8

[edit] External links

v  d  e
URI scheme
Official
aaa: · aaas: · acap: · cap: · cid: · crid: · data: · dav: · dict: · dns: · fax: · file: · ftp: · go: · gopher: · h323: · http: · https: · im: · imap: · ldap: · mailto: · mid: · news: · nfs: · nntp: · pop: · pres: · rtsp: · sip: · sips: · snmp: · tel: · telnet: · urn: · wais: · xmpp:
Unofficial
about: · aim: · bolo: · bzr: · callto: · cvs: · daap: · ed2k: · feed: · fish: · git: · gizmoproject: · iax2: · irc: · ircs: · lastfm: · ldaps: · magnet: · mms: · msnim: · nsfw: · psyc: · rsync: · secondlife: · skype: · ssh: · svn: · sftp: · smb: · sms: · soldat: · steam: · unreal: · ut2004: · webcal: · xfire: · ymsgr:
Retrieved from "http://en.wikipedia.org/wiki/Https"


Search  for    ?
web dir image video media news gallery wiki shop 


↑ top of page ↑