HTTPS (Hypertext Transfer Protocol Secure) – an extended version of the protocol HTTP, created by encrypting data sent between the Web-site and Web-browser, as well as the authentication server and the client. A modified version of HTTP (see the Hyper Text Transfer Protocol), which provides data protection (encryption of data in transit over the network, a digital signature to verify the sender’s information.) Server with protectors allows you to narrow the list of persons entitled to access to confidential information. An increasing number of commercial Web sites use these tools on their Web-servers.
HTTPS is not a separate protocol. This is a normal HTTP, running over an encrypted transport mechanisms SSL and TLS. It provides protection against attacks based on listening to the network connection – from snifferskih attacks and attacks such as man-in-the-middle, provided that the funds will be used encrypt and server certificate is checked, and trust him.
Default HTTPS URL using TCP-443 port (for unprotected HTTP – 80). To prepare the web server to handle https-connections, the administrator must obtain and install the system certificate for the web server. Certificate consists of two parts (2 keys) – public and private. Public-part of the certificate used to encrypt traffic from the client to the server in a secure connection, private-part – to decrypt the received encrypted traffic from the client to the server. After the key pair private / public are generated, based on the public key generated the certificate request to the Certification Center (CC) in response to which the CC sends the signed certificate. CC when signing checks for the client, which allows him to ensure that the certificate holder is the one for whom it claims (usually a fee).
It is possible to create such a certificate without going to the CC. These certificates can be created for servers running Unix, using tools such as ssl-ca from (OpenSSL) or gensslcert from SuSE. Such certificates are signed by the same certificate and called self-signed (self-signed). Without checking the certificate in some other way (for example, a call to the owner and the checksum verification certificate) such use is subject to attack HTTPS man-in-the-middle.
This system can also be used to authenticate the client to provide access to the server only to authorized users. The administrator typically creates a certificate for each user, and loads them into the browser of each user. Will be accepted all certificates signed by organizations that are trusted by the server. This certificate usually contains the name and address of the authorized user’s e-mail, which will be checked every time a connection to verify a user’s identity without a password.
In HTTPS is used for encryption key length of 40, 56, 128, or 256 bits. Some older versions of the browsers use a key length of 40 bits (an example – IE, versions prior to 4.0), which is due to export restrictions in the U.S.. 40-bit key length is not any reliable. Many modern websites require new versions of browsers that support encryption key length of 128 bits, in order to ensure an adequate level of security. This encryption makes it difficult attacker search for passwords and other personal information.