Key Points of HTTPS?

I know every one of you knows that HTTPS is used to secure communication to avoid Man in Middle attack, Eavesdropping by a sniffer and verifying authenticity, privacy, and integrity of exchanged data during web communication on the internet. I will not explain how it works as it is 25 years old protocol but will give you some unknown internal glimpse about it, so read all points carefully as it will might also give you clarity on some minor confusion about HTTP, HTTPS, SSL, and TLS, etc.

Keep the following points for reference when you are talking about HTTPS:

1. "HTTP over TLS" and "HTTP of SSL" are the same thing.

2. HTTPS was created in 1994 by Netscape communication for the Netscape Navigator browser.

3. HTTPS encapsulates HTTP traffic using TLS to encrypt data and still uses original HTTP content.

4. TLS and SSL are cryptographic protocols designed to provide communication security over the computer networks.

5. TLS Protocol can be used to encrypt traffic for web servers, email, instant messaging, VoIP traffic etc.

6. SSL 1.0/2.0/3.0 has been deprecated and replaced by TLS 1.3.

7. Year of Release: TLS1.0(1999), TLS1.1(2006), TLS1.2(2008), TLS1.3(2018),

8. TLS Operates below HTTP and has no knowledge of higher-level HTTP.

9. TLS servers can only strictly present one certificate for one host/port and in past, this concept was a blocker for virtual hosting on webserver and SNI given the solution.

10. SNI (Server Name Indication) is the solution of the above problem where it sends hostnames before handing over to TLS on your client browser.

11. 3 Major HTTPS Purpose: Authentication of accessed site, Privacy, and integrity of exchanged data.

12. Protects against: Man in Middle attack (MiM), Eavesdropping and Tampering.

13. Using HTTPS we can do Bidirectional encryption in between client and server.

14. HTTPS makes sure the correct cipher suite is used during client-server communication.

15. HTTPS helps you to work securely on public Wi-Fi in case someone sniffing on the network.

16. The latest HTTP2 replaced internally used SPDY Protocol with HSTS.

17. HSTS (HTTP Strict Transport Security) helps to protect websites against protocol downgrade attacks. Like you will see HTTPS but actually it will be HTTP.

18. The latest HTTP2 Protocol helps in reducing page load time, size and latency and can easily be enabled on web servers like Nginx, etc. using single http2 flag on listener value in “nginx.conf”.

19. TLS uses long-term public and private certificates to generate short term session keys which are then used to encrypt data.

20. x.509 Certificate is used to Authenticate server as well as the client.

21. Major CA(Certificate Authority) certs are pre-configured on your browsers or in your operating system to authenticate the validity of provided certs during HTTPS communication.

HTTPS works in 2 modes i.e. simple and mutual, most of the web traffic is simple and in case you require client authentication then we choose mutual.

22. Only Domain name/IP address and port number are not encrypted as it is required at the network level to forward traffic.

23. Unencrypted nature in HTTPS for DNS names/IP Address helps Govt. agencies to block URL's etc. even when you are using HTTPS URLs.

24. Request/Response containing Contents/Headers are encrypted by TLS.

25. Domain fronting is one of the other important concepts that Google and Amazon have disabled it after the pressure of Russian Govt. over the Telegram domain fronting case.

26. Domain fronting is a technique that circumvents internet censorship by obfuscating the domain of an HTTPS connection (Proxy servers used to access the blocked site and now it can be blocked*)

27. Careful configuration of TLS can provide "forward secrecy" that ensures future disclosure of encryption keys can't be used to decrypt data recorded in the past.

28. TLS uses symmetric cryptography to encrypt data and keys used to encryption are generated uniquely using each connection.

There are many further points that you can read on Wikipedia as all above key points are summarized from it and you can go deep in case you would like to understand more but I will say unless you are only working in web security domain till the time you can avoid deep understanding but in normal day to day understanding above key points will give you immense information while talking on Web traffic security using HTTPS and TLS.