tags:

views:

65

answers:

6

What makes https more secure than http?

+3  A: 

Im quoting:

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.

More information on TLS:

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.

Kyle Rozendo
+4  A: 

That it is encrypted. Read: en.wikipedia.org/wiki/HTTP_Secure

Anything not over HTTPS can be read by anyone snooping on your network.

Coronatus
+5  A: 

The short answer is that https communication between your browser and the server are encrypted. While http traffic is sent in plain text. This means that anyone who can listen to the traffic can read it - this would include usernames and passwords). It also verifies the server to which you are connecting.

Steve Robillard
could you please tell me how this verification is done
abson
@abson - There is "directories" of which HTTPS certificates = which websites. The directories are run by trusted companies like Verisign.
Coronatus
+2  A: 

Also, HTTPS verifies that the site is who it claims to be, if the certificates are correct (signed by a known CA).

Carles
and can optionally authenticate the client as well.
Thilo
+1  A: 
  1. All traffic is encrypted. No one on your network can see what is going on (except for knowing where those packets are going to).
  2. The identity of the remote server can be verified using certificates. So you also know that it really is your bank that you are talking to.
  3. Optionally (and not in wide-spread use), the identity of the client can also be verified using certificates. This would allow for secure login to a site using chip cards instead of (or in addition to) passwords.
Thilo
A: 

I want to be really pedantic, as I'm a security nerd :)

HTTPS uses SSL, and it's IETF-ratified cousin, TLS. SSL/TLS can offer four security services:

1) server authentication
2) channel encryption
3) channel tamper detection
4) client authentication

Usually you'll get server auth for free, but only if the host name and the common name in the server's SSL/TLS certificate match. If they don't match your browser will warn you. You usually get the channel defenses for free too, but that's only because the server and client negotiate to require such defenses. In theory, but rarely in practice, a server and client could agree to not use one or more of the channel defenses.

Finally, client authentication is when the server wants you to present a certificate (actually, to prove you have an associated private key) to verify you are you. Client authentication is rarely used.

Michael Howard-MSFT
also, your browser might complain if one or more of the following conditions exist:1) The server cert does not chain to a trusted root certificate<br>2) Today's date does not fall within the server cert's valid date range<br>3) The cert usage is incorrect (usually server authentication, rather than say, S/MIME usage)
Michael Howard-MSFT