Clever Geek Handbook

What is the use of https?

I am new to HTTPS technology :( I have some doubts about the HTTPS implementation.

Let's say I have a registration form

http://www.sitename.com/register.php

if i want to use this in HTTPS it becomes

https://www.sitename.com/register.php

What does it mean? How do I implement HTTPS from scratch? How do I get a certificate?

Thanks in advance!

+2


source to share


6 answers


HTTPS stands for HTTP Secure. It is implemented over an HTTP connection over a secure connection. Check out HTTP Secure on Wikipedia for a more detailed explanation.

Setting up HTTPS isn't just about changing the URL. To do this, you will need to add an SSL certificate to your site. These certificates can be obtained from certification authorities ( CA List ), or you can use a self-signed certificate.

Speaking of your doubts about the HTTPS implementation. This is a well-established protocol that has been passed through by security experts with PhDs on the subject. This way you can trust the HTTPS implementation.



Flat Mountain has a good article for Configuring SSL Certificates on Apache *

* Assuming you are running php through apache server

+9


source


Others have given you good links to resources on how HTTPS works. I will consider two reasons why it is used:

1. Safety

When using HTTPS, traffic between your browser and the web server is encrypted. This prevents access to any of the many wires your data will pass as it crosses the Internet, looking at what you are sending to the server or what the server is sending you. This is why HTTPS is used to send passwords and other credentials. This is one of the reasons why banking and other privacy related websites use HTTPS. This is why you probably want to use HTTPS if you are reading your webmail from a public wi-fi connection.

2. Identity



When connecting via HTTPS, the web server provides you with a certificate. In addition to containing the public key needed to facilitate the encryption mentioned above, the certificate also tries to prove the identity of the web server. This prevents access to any of the many wires that your data will cross as it traverses the Internet, instead of diverting traffic to your server and pretending to be the website you wanted to contact. All the encryption in the world doesn't help if you've established this encrypted connection with a hacker.

To do this, certificates are "signed" by a certification authority. The authorities responsible for issuing certificates must ensure that the person to whom they issue the certificate is who they say they are. That is, CA will not issue the "bankofamerica.com" certificate to anyone other than Bank of America. Your browser has a pre-installed set of certification authorities, whose signatures it trusts. If the certificate provided by the server is not signed by one of these trusted CAs, the browser will alert you.

Note that failure of the authentication step does not prevent the security step. If the HTTPS server gives you a certificate that is not signed by a CA that trusts your browser, you can still establish an encrypted secure connection to the server - you simply cannot be sure who is actually starting the server to talk to.

+6


source


Working over the https protocol means that you are serving encrypted data, which in theory cannot be sniffed because it is not transmitted in plain text. The connection is usually made over port 443, not the normal port 80 for HTTP traffic.

In addition, SSL provides a certificate that authenticates you to the content server by a third party such as VeriSign or others.

For a professional site, you can buy a certificate to install on your server, or, in other cases, it is better to use the signed certificate itself , although they will usually show up in error files in common browsers (which might not be a problem if you have there are only trusted / trusted users).

+3


source


HTTPS includes many layers, and they are all there to ensure that your HTTP communication over the wire is encrypted and secure. One of the mechanisms he uses for security is to prove to the client that the server is actually who he says it is, not who is pretending to be the server. This is accomplished using server certificates issued by certification authorities that are trusted by most clients.

Thus, you need a few things to get your form to work over HTTPS:

  • You need to configure your web server to respond to HTTPS requests in the first place. HTTPS requests are made on port 443 so they don't get mixed up with regular HTTP requests.
  • You need to obtain a server certificate from a certification authority that matches the domain name of your HTTPS requests (in the example you provide will be "www.sitename.com"

    )
  • Finally, you need to make sure that the URL your form is submitting to the collected data is also an HTTPS URL, because otherwise you would just capture the content of the original form, but not the data the user has submitted.

There register.php

will be no difference for your page between clients that come from HTTPS or HTTP, your processing will be the same. However, if you want to force users to use HTTPS, you need to first check if the request is plain HTTP and if it redirects the user to the same page with HTTPS protocol. This way, no one can inadvertently use an unsafe address.

+3


source


hmm. um. You need to look at ssl and secure http . And maybe setting up ssl on apache .

Basically, this is an encrypted http connection. Ask yourself why you need an encrypted connection, and is it really worth all the trouble.

+2


source


If your site is running on apache you will need to install ssl and then make sure you are set to view at 443. Then any page in vhost can be called by any protocol.

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

http://en.wikipedia.org/wiki/HTTP_Secure

+2


source






More articles:


All Articles