In 1994 the software company Netscape developed an encrypted transfer protocol to increase data security on the Internet: HTTPS (Hypertext Transfer Protocol Secure). HTTP (Hypertext Transfer Protocol) has always been the standard communication protocol on the Internet with which a website is transferred from a web server to the website visitor’s browser. Conversely, however, the user can also transmit data to the web server via HTTP: for example payment data. Because this information is transmitted in clear text via HTTP, data thieves can see it without too much effort. With HTTPS, the data is encrypted and therefore protected.
- HTTPS is not an independent communication protocol, but an HTTP with an additional encryption protocol for higher data security.
- The standard encryption protocol for HTTPS is TLS (Transport Layer Security), which has now almost completely replaced its predecessor SSL (Secure Sockets Layer).
- In addition to data encryption, HTTPS also enables the website operator to confirm the identity of the website operator, depending on the security certificate used. This is an essential security feature in online banking and online shopping.
HTTPS encryption and authentication
According to abbreviationfinder, HTTPS is the encrypted version of the Internet standard protocol HTTP. The encryption protocol (now usually TLS instead of SSL) protects communication between the web server and browser against data theft. In addition, HTTPS can also confirm the identity of the website operator with the underlying security certificate. The website identifies itself to the visitor as who he wanted to visit – like with an identity card. Today’s web browsers such as Mozilla Firefox, Google Chrome, Apple Safari or Microsoft Edge automatically check the certificate – the user does not have to confirm anything. However, he can view the information on the certificate at any time by clicking on the HTTPS info button.
This is how the browser identifies an HTTPS connection
The browser indicates an existing HTTPS connection with a small green padlock on the left in the address bar. The address of the accessed website ( URL ) also always begins with “https: //” instead of “http: //”.
More secure online with HTTPS
More and more people are doing transfers via online banking and shopping in web shops almost every day. Due to increasing data theft, website operators need to protect their customers’ data from attacks in the best possible way in order to remain trustworthy. This not only applies to data storage, but also to data transmission. Therefore, encrypted data communication via HTTPS is no longer only important for online banks, but also for web shops and social networks. Google apparently sees it the same way and includes HTTPS encryption as a positive criterion in the ranking of a website. Not least because of this, HTTPS is already standard on many larger websites.
The HTTPS encryption protocols SSL and TLS
HTTPS is often referred to as “HTTP with SSL”. In most cases, however, what is meant is not encryption with SSL, but rather with TLS. TLS (Transport Layer Security) is the further development of the encryption protocol SSL (Secure Sockets Layer), which is rarely used due to some security gaps. In addition to HTTPS, the more secure, more modern TLS encryption is also used in e-mail communication or when transferring files via FTP (File Transfer Protocol).
The SSL certificate as a prerequisite for an HTTPS connection
An HTTPS connection between web server and browser can only be established if a signed SSL certificate is stored on the server. This “ID” of a website contains essential information such as details of the certificate owner and the public website key. A website operator can create and sign such an SSL certificate himself. But only recognized certification authorities can really independently check and confirm the trustworthiness and authenticity of a website. This is why the most popular browsers, such as Mozilla’s Firefox, display a warning message when establishing an HTTPS connection with self-created and signed certificates. The same applies to expired or otherwise insecure certificates.
SSL certificates come in three levels of validation
The official issuing bodies offer certificates in three validation levels. The higher the validation level, the greater the proven trustworthiness (and of course the price for the certificate).
SSL certificate with domain validation (DV)
The certificate with domain validation (DV) is the simplest, fastest and cheapest form of certification. With this certificate, the certification authority only checks whether the applicant is allowed to use the domain. It does not check any further information on the applicant. During the HTTPS connection, none of this information is displayed in the relevant information window of the browser. The DV is therefore not suitable for the trust-creating authentication of the website operator.
SSL certificate with validation of the organization (OV)
With this certificate, in addition to the domain authorization, the certification authority also records information about the applicant’s company or organization. This information can later be viewed in the HTTPS information window of the browser. This significantly increases the trustworthiness of a website compared to simple certification with domain validation (DV).
SSL certificate with Extended Validation (EV)
Extended Validation is the highest level of security. It is more time consuming and expensive than the other certifications. Companies such as online banks that handle sensitive customer data present their website with an EV as particularly trustworthy. The certification authority checks the domain authorization and also collects comprehensive information on the company or organization. There is a fixed catalog of guidelines for this, for which a voluntary association of certification bodies and browser manufacturers is responsible. Certification authorities have to submit themselves to regular audits in order to be able to issue SSL certificates with Extended Validation (EV).
Two are better than one: HTTPS and careful surfing behavior
In 2014, the serious program error “Heartbleed Bug” in the older versions of the TLS / SSL library OpenSSL made it clear that encryption via HTTPS can also be vulnerable. This security gap was closed in the successor version. But with the significant increase in “phishing”, data security is threatened in such a way that HTTPS cannot be sufficient as the sole security measure on the web.
“Phishing” describes the attempt by fraudsters to obtain access data in order to place orders under a false identity or to empty bank accounts. For this purpose, data thieves, for example, reproduce the websites of well-known online shops or banks in a deceptively realistic manner. Then they lure users – mostly by email – to these fake websites so that they can leave their access and payment data there.
These “phishing” websites either do not provide an HTTPS connection or one with a suspicious certificate. In the second case, the browser will usually display a warning message, but this should not be completely relied on. Internet users can protect themselves by paying attention to the HTTPS symbol in the browser bar and checking the identity of the website operator, especially when doing online banking and online shopping. All you need to do is click on the green HTTPS lock symbol. Banks also warn against reacting to fake e-mails and carelessly clicking on the links contained therein.
