HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server.
The HTTPS capability is built into all modern Web browsers. Its use depends on the Web server supporting HTTPS communication.
For example, search engines do not support HTTPS.
The principal difference seen by a user of a Web browser is that URL (uniform resource locator) addresses begin with https:// rather than http://.
A normal HTTP connection uses port 80. If HTTPS is specified, port 443 is used, which invokes SSL.
When HTTPS is used, the following elements of the communication are encrypted:
- URL of the requested document o Contents of the document
- Contents of browser forms (filled in by browser user) o Cookies sent from browser to server and from server to browser
- Contents of HTTP header
- There is no fundamental change in using HTTP over either SSL or TLS. And both implementations are referred to as HTTPS.
- The client initiates a connection to the server on the appropriate port and then sends the TLS ClientHello to begin the TLS handshake.
- When the TLS handshake has finished, the client may then initiate the first HTTP request.
- All HTTP data is to be sent as TLS application data.
- Normal HTTP behavior, including retained connections, should be followed.
- We need to be clear that there are three levels of awareness of a connection in HTTPS.
- At the HTTP level o At the level of TLS o At the level of TCP
- An HTTP client or server can indicate the closing of a connection by including the following line in an HTTP record: Connection: close.
- This indicates that the connection will be closed after this record is delivered.
- At the TLS level, the proper way to close a connection is for each side to use the TLS alert protocol to send a close_notify
- TLS implementations must initiate an exchange of closure alerts before closing a connection.
- A TLS implementation may, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an “incomplete close”.
- Note that an implementation that does this may choose to reuse the session.
- This should only be done when the application knows (typically through detecting HTTP message boundaries). That it has received all the message data that it cares about.
- HTTP clients also must be able to cope with a situation in which the underlying TCP connection is terminated without a prior close_notify alert and without a Connection: close
- Such a situation could be due to a programming error on the server or a communication error. That causes the TCP connection to drop.
- However, the unannounced TCP closure could be evidence of some sort of attack.
- So the HTTPS client should issue some sort of security warning when this occurs.