What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication. HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80.

An HTTPS URL begins with https:// instead of http://. Modern web browsers also indicate that a user is visiting a secure HTTPS website by displaying a padlock symbol to the left of the URL:

address bar

Encryption

 

Because HTTP was originally designed as a clear text protocol, it is vulnerable to eavesdropping and man in the middle attacks. HTTPS mitigates these vulnerabilities by piggybacking the HTTP protocol on top of SSL/TLS, so that all messages are encrypted in both directions between two networked computers (e.g. a client and web server). Although an eavesdropper can still potentially access IP addresses, port numbers, domain names, the amount of information exchanged, and the duration of a session, all of the actual data exchanged are securely encrypted by SSL/TLS, including:

  • Request URL (which web page was requested by the client)
  • Website content
  • Query parameters
  • Headers
  • Cookies

Because of this, it is safe to use HTTPS for transmitting confidential information such as credit card numbers, banking information, and social security numbers over insecure networks such as the Internet.

Authentication

 

SSL/TLS uses digital documents known as X.509 certificates to bind cryptographic key pairs to the identities of entities such as websites, individuals, and companies. Each key pair includes a private key, which is kept secure, and a public key, which can be widely distributed. Anyone with the public key can use it to:

  • Send a message that only the possessor of the private key can decrypt.
  • Confirm that a message has been digitally signed by its corresponding private key.

If the certificate presented by an HTTPS website has been signed by a publicly trusted certificate authority (CA), such as SSL.com, users can be assured that the identity of the website has been validated by a trusted and rigorously-audited third party.

SSL/TLS can be configured for either simple or mutual authentication. For this reason, HTTPS can be used to protect communication between an authenticated website and an anonymous browser, or between two mutually-authenticated parties (for example, an employee accessing an internal company web application with a client certificate).

How Can I Get HTTPS for My Website?

We can help you with that! To protect a public-facing website with HTTPS, it is necessary to install an SSL/TLS certificate signed by a publicly trusted CA on the web server. Please visit this page for an overview of the certificates available from SSL.com.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.