HTTPS (HTTP over SSL or HTTP Secure)

HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS was developed by Netscape.

HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. Unless a different port is specified, HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.

Suppose you visit a Web site to view their online catalog. When you're ready to order, you will be given a Web page order form with a Uniform Resource Locator (URL) that starts with https://. When you click "Send," to send the page back to the catalog retailer, your browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for you by your browser's HTTPS sublayer.

The effectiveness of HTTPS can be limited by poor implementation of browser or server software or a lack of support for some algorithms. Furthermore, although HTTPS secures data as it travels between the server and the client, once the data is decrypted at its destination, it is only as secure as the host computer. According to security expert Gene Spafford, that level of security is analogous to "using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box."

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

Getting started with HTTPS
To explore how HTTPS is used in the enterprise, here are some additional resources for learning about HTTPS and Web page security:
Enabling HTTPS in J2EE Web components: The HTTPS protocol is a valuable security feature for J2EE Web components. Expert Ramesh Nagappan explains how to implement HTTPS in JSPs and servlets.
Authentication and authorization for Web applications: Web applications need robust authentication and authorization mechanisms, such as HTTPS. Expert Ramesh Nagappan explains what measures are needed before you deploy Web apps.
How to create a secure login page using ASP.NET: A secure ASP.NET login page is easier to create than one might assume. Expert Dan Cornell explains how to use authentication, authorization and HTTPS to ensure your login page is safe.
This was last updated in August 2008

Continue Reading About HTTPS (HTTP over SSL or HTTP Secure)

Dig Deeper on Software testing tools and techniques