- HTTPS uses encryption for secure communication over a computer network and is widely used on the Internet.
- HTTPS ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cypher suites are used, and the server certificate is verified and trusted.
- HTTPS needs to be improved in plaintext data transmission and message integrity detection.
Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted to increase the security of data transfer.
What is HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS or HTTP over SSL.
Also read: What is computer network infrastructure?
HTTPS principles
The principal motivations for HTTPS are authentication of the accessed website and protection of the privacy and integrity of the exchanged data while it is in transit. It protects against man-in-the-middle attacks, and the bidirectional block cypher encryption of communications between a client and server protects the communications against eavesdropping and tampering.
The authentication aspect of HTTPS requires a trusted third party to sign the server-side digital certificates. This was historically an expensive operation, which meant that fully authenticated HTTPS connections were usually found only on secured payment transaction services and other secured corporate information systems on the World Wide Web (WWW).
In 2016, a campaign by the Electronic Frontier Foundation (EFF) with the support of web browser developers led to the protocol becoming more prevalent. HTTPS is now used more often by web users than the original, non-secure HTTP, primarily to protect page authenticity on all types of websites, secure accounts, and keep user communications, identity, and web browsing private.
Advantages of HTTPS
The HTTPS protocol authenticates users and servers, ensuring that data are sent to the correct clients and servers.
The HTTPS protocol is a network protocol constructed from SSL + HTTP that allows for encrypted transmission and authentication. It prevents data from being stolen or altered during transmission and ensures data integrity.
HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it significantly increases the cost of man-in-the-middle attacks.
Also read: DuckDuckGo bundles VPN with privacy protection
Limitations of HTTPS
In the same network environment, HTTPS protocol increases page load times by nearly 50% and increases power consumption by 10% to 20%. In addition, HTTPS protocol affects caching, increasing data overhead and power consumption.
The security of the HTTPS protocol is scoped and plays little role in hacking, denial-of-service attacks, and server hijacking.
Crucially, the credit chain system for SSL certificates is not secure. Man-in-the-middle attacks are just as feasible, especially when certain countries can control CA (certificate authority) root certificates.
The cost has increased. After the deployment of HTTPS, the work of HTTPS protocol to increase the consumption of additional computing resources, such as the SSL protocol encryption algorithm and the number of SSL interactions, will take up a certain amount of computing resources and server costs.
In the scenario of large-scale user access applications, the server needs to perform encryption and decryption operations frequently, and almost every byte needs to be encrypted and decrypted, which generates server costs.
With the development of cloud computing technology, the cost of using servers deployed in data centres gradually decreases as the scale increases, and the input cost has dropped to an acceptable level relative to the security enhancement of user access.
