A quick primer on HTTP (Hypertext Transfer Protocol), HTTPS (Secure HTTP) and how Domain Certificates (Certs) are used by Web Servers

HTTP is used by Web Servers to serve pages to your browser. By default, HTTP is not encrypted and is therefore not secure. HTTPS uses the Certificate associated with the Website Domain to create an encrypted, and therefore secure connection.

How the Browser displays a Webpage

In order to view a webpage, several steps need to happen first:

• Based on the URL you type in (e.g., https://nickisonpar.com), the browser needs to figure out where the Web Server which serves the page is located.
  • This is done via process using Directory Name Service (DNS) lookup
  • DNS provides the Internet Protocol address (IP) for the Web Server. Think of the IP as the phone number for the Web Server, which is necessary to establish the connection.
• The browser then initiates a connection using the IP of the Web Server. The connection can either be HTTP or HTTPS depending on the URL you specified or the configuration of the Web Server.
  • A secure connection requires a Domain Certificate from the Web Server. See “HTTPS Connection” below for more details.
• Once the connection is established, the Web Server provide the page data to the browser.
• The browser displays the page.

HTTP Connection

HTTP connection is not encrypted and therefore not secure, anyone who can “sniff” the network can see the data. Any personal information, sensitive data, e.t.c., should not be transmitted over a HTTP connection.

There are limited advantages to HTTP. Since it doesn’t require encryption, it is easier for less powerful computers, or browsers with slower connection speed, to download the Web page.

Generally speaking, modern computers with reasonable connection speeds should not need to use HTTP. It is always better to use HTTPS whenever possible.

Domain Certificates

Domain Certificates (Certs) use Public and Private ciphers (keys) to encrypt the data. The Private key is secured on the Web Server and is used to decrypt the data. The Public key is available to anyone.

Data encrypted with the Public key can only be decrypted with the Private key. Therefore browsers encrypt data with the Public key before sending the data Web Server. Since the Web Server which has the Private key, it can decrypt the data. Anyone who “sniffs” the connection will not be able to decrypt the data, since they will not have the Private Key.

Finally, Certs are issued for a specific Domain. In order to get a Cert, you need to prove you are the owner of the Domain. Certs are issued by a set of trusted Cert providers.

HTTPS Connection

HTTPS connections are encrypted using the Domain Cert and are therefore considered secure. To establish a secure connection, there are a few additional steps:

• When the browser connects to the Web Server, it downloads the Public Certificate. It verifies the Certificate matches the Web Domain for the URL.
  • As an example, it verifies the Certificate for this web page is associated with https://nickisonpar.com
  • If the Certificate and the URL don’t match, the browser will flag a Warning and prompt you for next steps.
• Assuming the Certificate is valid, the browser and the Web Server will then negotiate an encryption key (or cipher) for this connection.
  • This encryption key is unique to this particular connection.
• From this point forward, all traffic to and from the browser and the Web Server is encrypted using this unique key.

HTTPS should be the de facto standard for all Web traffic. This includes any traffic to (and from) any Cloud Provider.

Summary

As consumers of the Web, it is important to understand the building blocks of Internet (and Cloud) Security. Each individual component, i.e., Web Server, Certificates, Browser, all play a critical function in securing Internet traffic.

Understanding these key technologies behind the Web will make you a better consumer and help you secure your personal data.