Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
HTTPS
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security== {{Main|Transport Layer Security#Security}} The security of HTTPS is that of the underlying TLS, which typically uses long-term [[Public-key cryptography|public]] and private keys to generate a short-term [[session key]], which is then used to encrypt the data flow between the client and the server. [[X.509]] certificates are used to authenticate the server (and sometimes the client as well). As a consequence, [[certificate authority|certificate authorities]] and [[public key certificate]]s are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a [[web of trust]], the [[2013 mass surveillance disclosures]] drew attention to certificate authorities as a potential weak point allowing [[man-in-the-middle attack]]s.<ref>{{cite magazine |url=https://www.wired.com/2010/03/packet-forensics/ |title=Law Enforcement Appliance Subverts SSL |magazine=Wired |date=24 March 2010 |first=Ryan |last=Singel |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20190117142906/https://www.wired.com/2010/03/packet-forensics/ |archive-date=17 January 2019 |url-status=live }}</ref><ref>{{cite web |url=https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl |title=New Research Suggests That Governments May Fake SSL Certificates |first=Seth |last=Schoen |work=EFF |date=24 March 2010 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20160104234608/https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl |archive-date=4 January 2016 |url-status=live }}</ref> An important property in this context is [[forward secrecy]], which ensures that encrypted communications recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future. Not all web servers provide forward secrecy.<ref name=ecdhe>{{cite web |url=https://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html |title=SSL: Intercepted today, decrypted tomorrow |work=Netcraft |date=25 June 2013 |first=Robert |last=Duncan |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20181006021916/https://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html |archive-date=6 October 2018 |url-status=live }}</ref>{{Update inline|reason=Does this still hold in 2015?|date=February 2015}} For HTTPS to be effective, a site must be completely hosted over HTTPS. If some of the site's contents are loaded over HTTP (scripts or images, for example), or if only a certain page that contains sensitive information, such as a log-in page, is loaded over HTTPS while the rest of the site is loaded over plain HTTP, the user will be vulnerable to attacks and surveillance. Additionally, [[HTTP cookie|cookies]] on a site served through HTTPS must have the [[secure cookie|secure attribute]] enabled. On a site that has sensitive information on it, the user and the session will get exposed every time that site is accessed with HTTP instead of HTTPS.<ref name=deployhttpscorrectly/>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)