- Security Testing Tutorial
- Security Testing - Home
- Security Testing - Overview
- Security Testing - Process
- Security Testing - Malicious Software
- HTTP Protocol Basics
- HTTPS Protocol Basics
- Encoding and Decoding
- Security Testing - Cryptography
- Security Testing - Same Origin Policy
- Security Testing - Cookies
- Hacking Web Applications
- Security Testing - Injection
- Testing Broken Authentication
- Testing Cross Site Scripting
- Insecure Direct Object Reference
- Testing Security Misconfiguration
- Testing Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Components with Vulnerabilities
- Unvalidated Redirects and Forwards
- Security Testing - Ajax Security
- Testing Security - Web Service
- Security Testing - Buffer Overflows
- Security Testing - Denial of Service
- Testing Malicious File Execution
- Security Testing - Automation Tools
- Security Testing Useful Resources
- Security Testing - Quick Guide
- Security Testing - Useful Resources
- Security Testing - Discussion
Security Testing - HTTPS Protocol Basics
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) or HTTP over SSL is a web protocol developed by Netscape. It is not a protocol but it is just the result of layering the HTTP on top of SSL/TLS (Secure Socket Layer/Transport Layer Security).
In short, HTTPS = HTTP + SSL
When is HTTPS Required?
When we browse, we normally send and receive information using HTTP protocol. So this leads anyone to eavesdrop on the conversation between our computer and the web server. Many a times we need to exchange sensitive information which needs to be secured and to prevent unauthorized access.
Https protocol used in the following scenarios −
- Banking Websites
- Payment Gateway
- Shopping Websites
- All Login Pages
- Email Apps
Basic Working of HTTPS
Public key and signed certificates are required for the server in HTTPS Protocol.
Client requests for the https:// page
When using an https connection, the server responds to the initial connection by offering a list of encryption methods the webserver supports.
In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities.
After this is done, both webserver and client exchange the encrypted information after ensuring that both are using the same key, and the connection is closed.
For hosting https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity.
Almost all certificates are verified by a third party so that clients are assured that the key is always secure.
