Security Testing - HTTPS Protocol Basics


HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) or HTTP over SSL is a web protocol developed by Netscape. It is not a protocol but it is just the result of layering the HTTP on top of SSL/TLS (Secure Socket Layer/Transport Layer Security).

In short, HTTPS = HTTP + SSL

When is HTTPS Required?

When we browse, we normally send and receive information using HTTP protocol. So this leads anyone to eavesdrop on the conversation between our computer and the web server. Many a times we need to exchange sensitive information which needs to be secured and to prevent unauthorized access.

Https protocol used in the following scenarios −

  • Banking Websites
  • Payment Gateway
  • Shopping Websites
  • All Login Pages
  • Email Apps

Basic Working of HTTPS

  • Public key and signed certificates are required for the server in HTTPS Protocol.

  • Client requests for the https:// page

  • When using an https connection, the server responds to the initial connection by offering a list of encryption methods the webserver supports.

  • In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities.

  • After this is done, both webserver and client exchange the encrypted information after ensuring that both are using the same key, and the connection is closed.

  • For hosting https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity.

  • Almost all certificates are verified by a third party so that clients are assured that the key is always secure.

HTTP Architecture