what is the use of https?

Question

Hi All. I am a beginner in HTTPS technology :(. I have some doubt regarding the HTTPS implementation.

suppose I have a registration form

http://www.sitename.com/register.php

if I want to use this in HTTPS this will become

https://www.sitename.com/register.php

What does this means? How to implement a HTTPS from scratch? how do i get certificate??

Thanks in advance!!

Answer 1

HTTPS stands for HTTP Secure. It is implemented via serving HTTP over a secure connection. Take a look at HTTP Secure on Wikipedia for a much more in depth explanation.

Setting up HTTPS isn't a matter of merely changing the URL. You'll have to add a SSL certificate to your website to do that. These certificates can be obtained from Certificate Authorities (List of CAs) or you can use a self signed certificate.

Speaking to your doubts of the HTTPS implementation. It is a well established protocol which has gone through its paces by security experts with Ph.D's on the subject. So you can trust the implementation of HTTPS.

Flat Mountain has a good article for Setting up SSL Certificates on Apache*

*_{assuming you're running your php through apache server}

Answer 2

whew. um. You need to look at ssl and secure http. And possibly setting up ssl on apache.

Basically, it is an encrypted http connection. Ask yourself why you need an encrypted connection and is it really worth all the trouble.

Answer 3

If your site is run on apache, you'll need to setup ssl and then make sure you're vhost is setup to listen on 443 as well. Then any page in the vhost can be called with either protocol.

http://httpd.apache.org/docs/2.0/ssl/ssl%5Fhowto.html

http://en.wikipedia.org/wiki/HTTP%5FSecure

Answer 4

Serving over the https protocol means you are serving encrypted data, that in theory cannot be sniffed because it is not transmitted in plain text. The connection is usually over port 443 and not the typical port 80 for HTTP traffic.

Also SSL provides for a certificate that authenticates you the content server with a third party, such as VeriSign or others.

For a professional site you can buy a certificate to install on your server, or in other cases it may be better to use a self signed certificate, although those will typically display a nasty error in common browsers (which may not be an issue if you only have trusted/trusting users).

Answer 5

Others have given you good links to resources on exactly how HTTPS works. I'll address the two reasons why it is used:

1. Security

When using HTTPS, the traffic between your browser and the web server is encrypted. This prevents anyone who happens to have access to any of the many wires that your data will traverse as it crosses the Internet from looking at what you are sending the server, or what the server is sending you. This is why HTTPS is used for sending passwords and other login credentials. This is one reason why websites dealing with banking and other matters that require privacy use HTTPS. This is why you probably want to use HTTPS if you are reading your webmail from a public wi-fi connection.

2. Identity

When connecting via HTTPS, the web server provides to you a certificate. In addition to containing the public key needed to facilitate the encryption mentioned above, the certificate also attempts to prove the identity of the web server. This prevents anyone who happens to have access to any of the many wires that your data will traverse as it crosses the Internet from diverting your traffic to their server instead, and pretending to be the website you wanted to contact. All the encryption in the world doesn't help if you established that encrypted connection with a hacker.

To do this, certificates are "signed" by a Certificate Authority. Certificate Authorities aim to verify that the person they issue a certificate to is who they claim to be. That is, a CA will not issue a "bankofamerica.com" certificate to anyone other than Bank of America. Your browser comes with a pre-installed set of Certificate Authorities whose signatures it trusts. If the certificate the server gives you is not signed by one of these trusted CAs, the browser will warn you.

Note that failure of the identity step does not impede the security step. If an HTTPS server gives you a certificate that is not signed by a CA that your browser trusts, you can still establish an encrypted, secure connection with the server - you just can't be sure of who is actually running the server that you're talking to.

Answer 6

HTTPS involves many layers and they are all there to ensure that your HTTP communication over the wire is encrypted and secure. One of the mechanisms it uses to ensure that security, is to prove to the client that the server is actually who he says he is and not someone who pretending to be the server. This is achieved using server certificates that are issued by certificate authorities that most clients trust.

Thus, you would need a few things for your form to work over HTTPS securely:

1. You need to configure your web server so that it responds to HTTPS requests in the first place. HTTPS requests are served on port 443 so that they don't get mixed up with normal HTTP requests.
2. You need to obtain a server certificate from a certificate authority that matches the domain name of your HTTPS requests (in the example you give that would be "www.sitename.com")
3. Finally, you need to make sure that the URL that your form posts the data it collected to is also an HTTPS URL, because, otherwise, you would have just secured the contents of the original form but not the data the user has submitted.

For your, register.php page there won't be a difference between clients that come from HTTPS or HTTP, your handling will be the same. However, if you want to force users to use HTTPS then you need to first check to see if the request is plain HTTP and if it is redirect the user to the same page with the HTTPS protocol. That way no one can inadvertently use the insecure address.