Find out everything about HTTPS and why this is important.
HTTPS, TLS and Certificate
The security of your website is guaranteed in three ways: by forcing traffic on an encrypted connection (HTTPS); by using up-to-date methods of encryption (TLS); and by verifying that your website is indeed authentic (certificate).
What is HTTPS?
To access information on, and send data to a website, the browser on your computer connects to a computer located somewhere on the internet. The browser will send the server a request for a specific webpage. The server will then answer back to the browser, usually in the form of displaying a webpage.
This method of communication between the browser and the server is made possible by an internet language (a protocol) called the Hypertext Transfer Protocol (HTTP). HTTP sets up and terminates the connection.
The original HTTP is not secure because your information is being transported as plain text. Anyone who intercepts that information can read it. Generally, that might not worry you. But, what if the information is your credit card number or personal health details?
That’s why HTTPS was introduced, the encrypted and secure version of HTTP. It means all communications between your browser and the website are encrypted.
What is TLS?
A next step in securing communications with your website is to make sure your website uses an up-to-date version of encryption. For this, the Transport Layer Security (TLS) protocol is the current dominant security protocol.
TLS does three things:
- it hides data in transfer from access by unauthorised prying eyes (encryption)
- it ensures that parties exchanging information are who they claim to be (authenticity)
- it verifies that data is not forged or tampered with (integrity).
Encryption keys evolve over time, as vulnerabilities are discovered and subsequently remedied. The latest and most up-to-date version of TLS is version 1.3.
A detailed description of TLS provided by Cloudflare can be found here.
What are TLS certificates?
Finally, SSL certificates are required for websites to move from HTTP to HTTPS. A SSL certificate is a data file hosted in a website's origin server and makes TLS encryption possible.
The certificate contains the website's public key and the website's identity, along with related information. Devices attempting to communicate with the origin server will reference this file to obtain the public key and verify the server's identity.
SSL certificates include the following information:
- The domain name that the certificate was issued for
- Which person, organization, or device it was issued to
- Which certificate authority issued it
- The certificate authority's digital signature
- Associated subdomains
- Issue date of the certificate
- Expiration date of the certificate
- The public key (the private key is kept secret)
A detailed description of the TLS certificate provided by Cloudflare can be found here.
Guidance from the Australian government on the use of HTTPS, TLS and TLS certificates can be found here
- RFC 2818: HTTP Over TLS
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
- RFC 5246: The Transport Layer Security (TLS) Protocol, Version 1.2
- RFC 6797: HTTP Strict Transport Security (HSTS)
- RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
- Encryption & authenticity of web server
- Encryption & authenticity of email
- Protection against email phishing
- Security of website applications
- Security of domain name (DNSSEC)
- Adoption of Internet Protocol v6