HTTPS Basics

HTTPS: The Key to Internet Secure Communication

Core points:

• HTTPS (Hypertext Transfer Protocol Security) is crucial for secure Internet communication, especially for websites that process sensitive information such as credit card information. It encrypts data and verifies the identity of the website, ensuring that information is safe and secure even if it is intercepted.
• To implement HTTPS, the website requires a certificate issued by a Certificate Authority (CA). This digital document confirms the identity of the website to the user's browser. The website also requires a private key and certificate signing request (CSR), which are generated on the server hosting the website.
• HTTPS can be installed using a self-signed certificate or a third-party signed certificate. While the former is not trusted by the browser and triggers user warnings, the latter is trusted and requires annual fees. After installing the certificate, the security page needs to be modified to "https://www.php.cn/link/9affca09bb44f24b070c4f89937667c8://".
• The implementation of HTTPS can improve the SEO of the website because Google uses it as a ranking signal. It also enhances user trust and prevents certain types of attacks. Although the SSL handshake process involves additional steps, the use of modern servers and optimized configurations has minimal impact on website speed.

What is HTTPS?

Hypertext Transfer Protocol Security (HTTPS) or hypertext Transfer Protocol over SSL is used to communicate securely over the network or, more importantly, over the Internet. When you visit a page that uses HTTPS, you will see the https:// and the lock icon in the browser in the URI.

If you have ever wondered if and how to get your website to use HTTPS, we will try to articulate this by briefly describing what HTTPS is and why and how to implement it.

Why use HTTPS?

Consider developing an e-commerce website that requires your users to enter sensitive information (such as credit card details) to conduct online transactions. If information is transmitted as is through the Internet and intercepted by someone, it is easy to understand and abuse. That's where HTTPS works—If you need to prevent such threats, you need to use HTTPS.

HTTPS promises you two things; first, by applying an encryption mechanism, sensitive data will be encrypted into garbled code, which can only be decrypted by your server (the certificate owner). Now, if this information is intercepted through a man-in-the-middle attack, it will be meaningless. Second, the HTTPS verification website is indeed the website it claims to be. In your case, it verifies your website before sending the user's encrypted credit card details, so no one can imitate you.

Therefore, using HTTPS can verify your website and protect sensitive information that communicates over the Internet. This is made possible with the help of certificates and encryption.

• Certificate

To use HTTPS, you need a certificate. It is a digital document that your website submits to declare your identity to the user (Web browser). Certificates are issued by companies called Certificate Authorities (CAs) that encrypt your web-related information (such as your domain name, server platform, and identity information, such as company name address, phone number, etc.) in the certificate. You may be wondering how your browser trusts certificates. All browsers have a set of information pre-installed to let them know of a trusted certificate authority. When you use HTTPS, your server will have your certificate that will be sent to your users and their browser will verify you.

• Encryption

We know that HTTPS encrypts data before sending it over the internet and that the server decrypts it. In the encryption-decryption scheme, a pair of keys is involved. One is public and the other is private. When your website wants your users to send information, your server instructs the user's browser to encrypt the data to be sent using a key (publicly). After receiving the encrypted message, the server will use its private key to decrypt and understand the data. In HTTPS, any plain text encrypted with a public key can only be decrypted by the private key holder.

How to use HTTPS?

To use HTTPS, you need to install the certificate in the server. The certificate can be self-signed or signed by a third party. A self-signed certificate is a certificate signed by itself and is not trusted by the browser. When users access secure web pages from servers with self-signed certificates, they see warnings. However, it will be useful if you want to test your application with a secure connection without any cost, or if you want a secure connection in the intranet. On the other hand, a third-party signed certificate has been verified and issued by a CA trusted by the browser. This will cost you a certain amount of money each year, ranging from $10 to a few hundred dollars, depending on some of the features the certificate offers.

To obtain a certificate, you need a private key and a certificate signing request (CSR). These are generated in the server where you host your website. In the Encryption section of the previous section, we see the role of the private key. CSR obtains the certificate by submitting only one request. When you generate a CSR, you will enter your identity information such as the company name, location, etc.

Suppose the certificate you obtained is signed by a CA that is not trusted by a browser or browser version. This happens rarely, but if this happens, your users will see a message that the connection is not trusted. To prevent this, your CA will provide another certificate called a chain certificate. It has a range of trusted CAs that validate your CA and the certificates provided.

Installing a self-signed certificate

An article on the SSLShopper website explains how to install a self-signed certificate in your Apache server. It also discusses self-signed certificates more. If you want a certificate in IIS 7, check it out here.

If your website is on a shared hosting, you can use the front-end function to install it. The C Panel documentation explores how to do this using C Panel and WHM. In most cases, the hosting provider will ask you to make a request to install the certificate, regardless of its type.

Installing a certificate signed by CA

You can also purchase certificates from CAs such as Verisign and install them on your server when you deploy your website for commercial use. This SSL installation guide will help you use any server. CA may also email you with installation instructions or references to its support pages, as well as certificates.

If your website is on a shared hosting, you can view the C Panel documentation and get help from your hosting provider.

I also want to show you how BlueHost gets self-signed certificates and CA-signed certificates in its host.

What should I do after installing HTTPS?

When you have HTTPS ready, you need to make some modifications to your website and server to make it work, and this process is simple and straightforward.

The page that requires secure communication must be read https:// at the beginning of the website instead of https://www.php.cn/link/8c9b0580ebd12c014a772c9cec371011 https://www.php .cn/link/53885282fbff8407b3b6e820b7830180 safely load; you need to change all links on the website to https://www.php.cn/link/c1f901ce2fdfc413658ecf4326d42b57.

Apart from that, you need to add server settings to automatically redirect users who are trying to access secure pages through insecure URIs. For example, users who try to access the above page (checkout.php) using http:// should be routed to https://www.php.cn/link/8e3e59214cfae2e1afa470119559e683 Do this on Apache.

To do this, you add the following code to the .htaccess file:

<code>RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}</code>

But this will redirect all web pages to https://www.php.cn/link/6c2de35b691097827da9fdaadc060d69:

<code>RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?securepage/(.*) https://%{SERVER_NAME}/secureFolder/ [R,L]</code>

This rule If you use http:// to access files in this folder, you will use https:// to redirect them. Of course, this is a precaution, even if users don't usually change the protocol manually unless their intentions are disgraceful.

We need to do one more thing. There may be resources that are unsafely loaded on your secure page (images, css files, etc.). To resolve this issue, just replace http:// with // of these files, for example:

<code>link rel="stylesheet" href="http://mysite.com/css/style.css"</code>

should be read as:

<code>link rel="stylesheet" href="//mysite.com/css/style.css"</code>

Completed! As a best practice, use a different browser to access your secure pages and make sure all pages are working properly. You may see the lock icon in your browser. You can also click on it for more information.

Conclusion

In this article, we explain what HTTPS is, why you should use HTTPS, and how to implement it. We also introduce some underlying technical aspects to understand how HTTPS works. Hope this helps you get a clear understanding of what HTTPS is and how to use it. Feedback is welcome!

HTTPS FAQ (FAQ)

• What is the difference between HTTP and HTTPS?

HTTP stands for Hypertext Transfer Protocol, which is a protocol used to transfer data over the Internet. HTTPS, on the other hand, stands for Hypertext Transfer Protocol Security. The main difference between the two is that HTTPS uses SSL (Secure Sockets Layer) certificates to establish a secure encrypted connection between the server and the client, while HTTP is not the case. This means HTTPS is much safer when transmitting sensitive data such as credit card information or personal details because it reduces the risk of data being intercepted by hackers.

• How does HTTPS work?

HTTPS works by using an SSL certificate to create a secure encrypted connection between the server (website) and the client (user's computer). When a user connects to an HTTPS website, the website sends its SSL certificate to the user's browser. The browser then verifies the certificate and if the certificate is valid, it sends a message to the server. The server then sends back a confirmation of the digital signature to initiate the SSL encrypted session. This encrypted session ensures that all data transmitted between the server and the client is secure and private.

• Why is HTTPS important for SEO?

HTTPS is important for SEO for the following reasons: First, Google has confirmed that HTTPS is a ranking signal, which means that websites using HTTPS may rank higher in search results than those using HTTP. Second, HTTPS enhances user trust because it shows that the website is secure and values ​​user privacy. This can lead to increased user engagement and reduced bounce rates, which can also have a positive impact on SEO.

• How to switch from HTTP to HTTPS?

Switching from HTTP to HTTPS includes several steps. First, you need to purchase an SSL certificate from a certificate authority. After you have obtained the certificate, you need to install it on your server. You then need to update your website to use HTTPS instead of HTTP. This may include updating internal links, updating any code base, and updating any third-party services to use HTTPS. Finally, you need to set up HTTP to HTTPS redirects so that users who try to access the HTTP version of the website will automatically redirect to the HTTPS version.

• Will HTTPS affect website speed?

There is a common misconception that HTTPS slows down the website due to the extra steps in the SSL handshake. However, with modern servers and optimized configurations, the impact on speed is minimal and users usually don't notice it. In fact, HTTPS can actually improve website speed when used with HTTP/2, a major revision of the HTTP protocol, which provides significant performance improvements.

• Does HTTPS be required for all websites?

While not technically requires HTTPS, HTTPS is highly recommended. Even if a website does not process sensitive data, using HTTPS can still provide benefits such as improved SEO, enhanced user trust, and protection against certain types of attacks. Additionally, many modern web features, such as geolocation and service workers, are only available on HTTPS.

• What does the padlock symbol mean in the browser?

The padlock symbol in the browser's address bar indicates that the website you are visiting is using HTTPS and that the connection is secure. This means that any data you send to the website, such as login details or credit card information, is encrypted and cannot be blocked by hackers.

• What is an SSL certificate and how does it work?

SSL certificate is a digital certificate used to verify the identity of the website and enable an encrypted connection. It contains information about the website owner, the public key of the website, and the digital signature of the certificate authority that issued the certificate. When a user connects to a website using HTTPS, the SSL certificate of the website is sent to the user's browser. The browser then verifies the certificate and, if the certificate is valid, it encrypts the data sent to the website using the website's public key.

• Can HTTPS be hacked?

While HTTPS is much safer than HTTP, it is not completely unavailable to hackers. For example, if a hacker is able to compromise a website's SSL certificate, they may intercept and decrypt the data. However, such attacks are very difficult to execute and are not a problem for most websites. The most important thing is to make sure your SSL certificate is correctly configured and kept up to date.

• What is HTTP/2 and how does it relate to HTTPS?

HTTP/2 is a major revision of the HTTP protocol that provides significant performance improvements. It allows multiplexing multiple requests and responses over a single connection, thereby reducing the amount of data to be transmitted. HTTP/2 also supports server push, which can send resources to the client before requesting them. Although HTTP/2 does not require HTTPS, all major browsers only support HTTP/2 connected via HTTPS. This means that in order to take advantage of HTTP/2's performance benefits, the website must use HTTPS.

The above is the detailed content of HTTPS Basics. For more information, please follow other related articles on the PHP Chinese website!