Why do we need HTTPS?
The easiest way to load a website is via HTTP (without 's'). Using HTTP, the website data is sent from a server to a browser to display it there. The problem with HTTP, however, is that everything is transmitted unencrypted. For example, an attacker can easily intercept passwords by standing between a user and a server and intercepting the data.
In addition, the user has no way of knowing whether or not the website really belongs to its specified supplier. Therefore, attackers have the ability to modify web pages by impersonating them and sending a copy of the website with malicious code to the victim in order to obtain sensitive data.
To close such security gaps, Netscape installed HTTPS in its browser for the first time in 1994. HTTPS works in principle identical to HTTP. Only the transport of the information transmitted via HTTP takes place via an encrypted channel, the TLS protocol. This means that third parties can no longer read along. Furthermore, each server must first authenticate itself so that the user can be sure that what he sees actually comes from the desired provider.
As soon as a user accesses a HTTPS website, a TLS handshake is triggered. The browser and the server agree on an encryption and exchange their identities. The server also sends a digital certificate with which the browser can verify that the content actually originates from the specified domain. This certificate, in turn, is only issued by authorities in order to avoid fake or self-signed certificates. This increases the credibility of a certificate enormously. As soon as the handshake has taken place, the website is exchanged via the secure and encrypted channel using the normal HTTP protocol. During the exchange it is always guaranteed that the user is connected to the requested page. An attempt by a third party to manipulate the transmitted data is immediately noticeable.
What do I need to offer HTTPS on my site?
To offer HTTPS, you need a SSL certificate or a certificate the server uses to verify itself. This certificate can be bought from various providers, such as GlobalSign or DigiCert. However, there are also organisations that issue certificates for free, such as Let's Encrypt.
As soon as you have received a certificate and made a small configuration on the server, you support HTTPS. It is also advisable to activate HSTS (HTTP Strict Transport Security). This forces the browser to use HTTPS, which protects the user from downgrade attacks or session hijacking attacks. We will talk more about such attacks in a later blog entry.