HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication. HTTPS is specified by RFC 2818 (May 2000) and uses port
443 by default instead of HTTP’s port
An HTTPS URL begins with
https:// instead of
http://. Modern web browsers also indicate that a user is visiting a secure HTTPS website by displaying a closed padlock symbol to the left of the URL:
Because HTTP was originally designed as a clear text protocol, it is vulnerable to eavesdropping and man in the middle attacks. HTTPS mitigates these vulnerabilities by piggybacking the HTTP protocol on top of SSL/TLS, so that all messages are encrypted in both directions between two networked computers (e.g. a client and web server). Although an eavesdropper can still potentially access IP addresses, port numbers, domain names, the amount of information exchanged, and the duration of a session, all of the actual data exchanged are securely encrypted by SSL/TLS, including:
- Request URL (which web page was requested by the client)
- Website content
- Query parameters
Because of this, it is safe to use HTTPS for transmitting confidential information such as credit card numbers, banking information, and social security numbers over insecure networks such as the Internet.
SSL/TLS uses digital documents known as X.509 certificates to bind cryptographic key pairs to the identities of entities such as websites, individuals, and companies. Each key pair includes a private key, which is kept secure, and a public key, which can be widely distributed. Anyone with the public key can use it to:
- Send a message that only the possessor of the private key can decrypt.
- Confirm that a message has been digitally signed by its corresponding private key.
If the certificate presented by an HTTPS website has been signed by a publicly trusted certificate authority (CA), such as SSL.com, users can be assured that the identity of the website has been validated by a trusted and rigorously-audited third party.
How Can I Get HTTPS for My Website?
We can help you with that! To protect a public-facing website with HTTPS, it is necessary to install an SSL/TLS certificate signed by a publicly trusted CA on the web server. Please visit this page for an overview of the certificates available from SSL.com.