8 min to read
Understanding HTTP and HTTPS Protocols
A comprehensive guide to HTTP, HTTPS, and SSL/TLS implementation
Overview
HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols for transmitting data over the internet. Let’s explore their differences and implementation.
HTTP (Hypertext Transfer Protocol)
Concept
- Protocol defining data transfer between web browsers and servers
- Supports HTML, images, video, audio, and other content types
- Transmitted as unencrypted text (security vulnerable)
- Default port: 80
- URI format: http://example.com
Working Process
- Client sends HTTP request message:
- Contains HTTP method (GET, POST, PUT, DELETE)
- Includes request URI
- Server processes request and sends response:
- Contains status code (200, 404, 500)
- Includes response body
- Client interprets response:
- Processes received data
- Makes additional requests if needed
HTTP Methods
| Method | Description | Idempotent | Safe |
|---|---|---|---|
| GET | Request data from a resource | Yes | Yes |
| POST | Submit data to be processed | No | No |
| PUT | Update a resource or create if it doesn't exist | Yes | No |
| DELETE | Remove a resource | Yes | No |
| PATCH | Apply partial modifications to a resource | No | No |
| HEAD | Same as GET but returns only headers | Yes | Yes |
| OPTIONS | Returns supported methods for a resource | Yes | Yes |
HTTP Status Codes
| Category | Example | Description |
|---|---|---|
| 1xx (Informational) | 100 Continue | Request received, continuing process |
| 2xx (Success) | 200 OK | Request succeeded, normal response returned |
| 3xx (Redirection) | 301 Moved Permanently | Resource has moved permanently |
| 4xx (Client Error) | 404 Not Found | Resource not found on server |
| 5xx (Server Error) | 500 Internal Server Error | Server encountered an error |
Key Characteristics
- Stateless protocol
- No storage of previous requests/responses
- Uses cookies/sessions for state management
- Version evolution:
- HTTP/1.0 (1996): One request per connection
- HTTP/1.1 (1997): Persistent connections, pipelining
- HTTP/2 (2015): Multiplexing, header compression, server push
- HTTP/3 (2022): QUIC protocol, improved performance over unreliable connections
🔒 HTTPS (Hypertext Transfer Protocol Secure)
Concept
- Secure version of HTTP
- Uses SSL/TLS for encryption
- Verifies server identity through certificates
- Protects sensitive information
- Prevents man-in-the-middle attacks
- Default port: 443
- URI format: https://example.com
- Positive SEO impact (Google ranks secure sites higher)
SSL/TLS Overview
- SSL: Developed by Netscape (1995)
- TLS: Successor to SSL (1999)
- Uses public key encryption
- TLS recommended over SSL for security
- Essential component of HTTPS
- Version evolution:
- SSL 2.0/3.0: Deprecated, considered insecure
- TLS 1.0/1.1: Deprecated as of March 2021
- TLS 1.2: Current widespread adoption
- TLS 1.3: Latest version (2018), improved security and performance
TLS Handshake Process
- Client Hello: Client sends supported TLS versions, cipher suites, random number
- Server Hello: Server selects TLS version, cipher suite, sends random number
- Certificate: Server sends its SSL/TLS certificate
- Certificate Verification: Client verifies certificate against trusted CAs
- Key Exchange: Client generates pre-master secret, encrypts it with server’s public key
- Server Acknowledgment: Server decrypts pre-master secret
- Session Keys Created: Both sides derive symmetric session keys
- Secure Communication: Data encrypted using session keys
Working Process
- Client connects to HTTPS server
- Client requests server’s public key
- Server sends SSL/TLS certificate
- Client verifies certificate
- Client generates session key
- Client encrypts session key with server’s public key
- Server decrypts session key
- Secure communication begins
HTTPS Working Process Flowchart
graph TD;
A[Client connects to HTTPS server] --> B[Client requests server's public key];
B --> C[Server sends SSL/TLS certificate];
C --> D[Client verifies certificate];
D --> E[Client generates session key];
E --> F[Client encrypts session key with server's public key];
F --> G[Server decrypts session key];
G --> H[Secure communication begins];
Modern HTTPS Security Features
HTTP Strict Transport Security (HSTS)
- Forces browsers to use HTTPS only
- Prevents downgrade attacks
- Implementation via header:
Strict-Transport-Security: max-age=31536000
Certificate Transparency (CT)
- Public logs of issued certificates
- Helps detect unauthorized certificates
- Required by major browsers
Certificate Authority Authorization (CAA)
- DNS record specifying which CAs can issue certificates
- Example:
example.com. CAA 0 issue "letsencrypt.org"
Content Security Policy (CSP)
- Mitigates XSS and data injection attacks
- Controls which resources can be loaded
- Implementation via header:
Content-Security-Policy: default-src 'self'
Implementation Guide: Apache SSL/HTTPS Certificate
1. Install OpenSSL and Enable SSL Module
# Install OpenSSL
sudo yum -y install openssl
# Verify installation
rpm -qa |grep openssl
# Install mod_ssl
yum install mod_ssl
# Check mod_ssl.so
cd /etc/httpd/modules/
ls mod_ssl*
2. Generate Private Key
openssl genrsa -des3 -out server.key 2048
3. Create Certificate Signing Request
openssl req -new -key server.key -out server.csr
# Required information:
Country Name: KR
State: Seoul
Locality: city
Organization: company
Unit: section
Common Name: somaz
Email: somaz@gmail.com
4. Remove Password from Private Key (Optional)
cp server.key server.key.origin
openssl rsa -in server.key.origin -out server.key
5. Generate Certificate
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
6. Copy Certificates
cp server.key /etc/httpd/conf/
cp server.crt /etc/httpd/conf/
7. Configure Apache to Use SSL
# Edit SSL configuration
vi /etc/httpd/conf.d/ssl.conf
# Add or modify these lines
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
# Restart Apache
systemctl restart httpd
8. Test Configuration
# Check for configuration errors
apachectl configtest
# Verify SSL is working
openssl s_client -connect yourdomain.com:443
Implementation Guide: Nginx SSL/HTTPS Configuration
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
# HSTS (optional)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Other common security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
Let’s Encrypt for Free SSL Certificates
Let’s Encrypt provides free, automated SSL certificates.
Using Certbot with Apache:
# Install Certbot
sudo apt install certbot python3-certbot-apache
# Obtain and install certificate
sudo certbot --apache -d yourdomain.com
# Auto-renewal (already added to crontab by certbot)
sudo certbot renew --dry-run
Using Certbot with Nginx:
# Install Certbot
sudo apt install certbot python3-certbot-nginx
# Obtain and install certificate
sudo certbot --nginx -d yourdomain.com
# Auto-renewal check
sudo certbot renew --dry-run
HTTP vs HTTPS Comparison
| Feature | HTTP | HTTPS |
|---|---|---|
| Data Transfer | Plain text | Encrypted |
| Port | 80 | 443 |
| Security | Vulnerable to eavesdropping | Protected against interception |
| Authentication | No authentication | Server authentication |
| Performance | Faster (no encryption overhead) | Slight overhead due to TLS handshake |
| SEO Impact | Negative (Google prefers HTTPS) | Positive ranking factor |
| Modern Features | Limited access to new web features | Required for features like Service Workers |
Troubleshooting Common SSL Issues
Certificate Issues
- Self-signed Certificate: Browser warnings for untrusted certificates
- Certificate Expired: Check expiration date with
openssl x509 -in server.crt -noout -enddate - Common Name Mismatch: Certificate must match domain name exactly or use wildcard
- Incomplete Certificate Chain: Ensure intermediate certificates are included
Configuration Issues
- Mixed Content: HTTP resources loaded on HTTPS page
- Cipher Suite Incompatibility: Check with
openssl ciphers -v - Protocol Version Issues: Ensure modern TLS versions are enabled
- Certificate File Permissions: Private keys should be readable only by server process
Diagnostic Tools
- SSL Labs Server Test
- DigiCert SSL Checker
- Command line:
openssl s_client -connect example.com:443 -tls1_2 - Browser DevTools: Check Security panel for certificate details
Comments