Hypertext Transfer Protocol Secure, abbreviated as: HTTPS (often referred to as HTTP over TLS, HTTP over SSL or HTTP Secure) is a transmission protocol for secure communication through a computer network. HTTPS communicates via HTTP but uses SSL/TLS to encrypt data packets. The main purpose of HTTPS development is to provide identity authentication for website servers and protect the privacy and integrity of exchanged data.
HTTPS connection is often used for transaction payments on the World Wide Web and transmission of sensitive information in enterprise information systems. HTTPS is also widely used to protect the authenticity of web pages on all types of websites, protect accounts and keep privacy of user communications, identities and web browsing.
The main idea of HTTPS is to create a secure channel on the insecure network, and provide reasonable protection against eavesdropping and man-in-the-middle attacks when an appropriate encryption package is used and server certificate can be verified and trusted.
The trust inheritance of HTTPS is based on the certificate issuer (such as GlobalSign, etc.) pre-installed in the browser (meaning “the certificate issuer tells me to trust, and I trust it "). Therefore, an HTTP connection to a website is trustable, if and only if:
- Users believe that their browser correctly implements HTTPS and installs the correct certificate issuer;
- Users believe that the certificate issuer only trusts legitimate websites;
- The accessed website provides a valid certificate, meaning that it is signed and issued by a trusting certificate authority (most browsers send warnings on the invalid certificates);
- The certificate has correctly verified the website being visited (for example, you receive a certificate for example.com instead of other organizations when you visited https://example.com)
- Either the related nodes on the Internet are trustworthy, or users believe that the encryption layer (TLS or SSL) of this protocol cannot be damaged by eavesdroppers.
Differences between HTTPS and HTTP
The main differences between HTTPS and HTTP are as follows:
- https protocol has to go to CA to apply for a certificate. Generally, there are few free certificates and a fee is required.
- http is a hypertext transmission protocol, and information is transmitted in plain text. https is a secure SSL encrypted transmission protocol.
- HTTP and HTTPS use completely different connection methods and different ports. The former is 80 and the latter is 443.
- The connection of http is simple and stateless. While the HTTPS protocol is a network protocol constructed by SSL + HTTP protocol that can perform encrypted transmission and identity authentication, which is more secure than http.
HTTP TO HTTPS
In view of HTTPS security, it is necessary to migrate the website from HTTP to HTTPS, with the migration steps as follows:
- Purchase the certificate (through Baidu AI Cloud), if there are multiple domain name, you can apply for wildcard domain name certificate;
- Configure the certificate on the website and Baidu AI Cloud;
- Modify all HTTP links on the web page to HTTPS;
- Redirect HTTP request 301/302 to HTTPS, such as redirecting to the home page; in such case, it will not affect the access of previous HTTP.