Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
HTTPS
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Server setup=== To prepare a web server to accept HTTPS connections, the administrator must create a [[public key certificate]] for the web server. This certificate must be signed by a trusted [[certificate authority]] for the web browser to accept it without warning. The authority certifies that the certificate holder is the operator of the web server that presents it. Web browsers are generally distributed with a list of [[root certificate|signing certificates of major certificate authorities]] so that they can verify certificates signed by them. ====Acquiring certificates==== A number of commercial [[Certificate authority|certificate authorities]] exist, offering paid-for SSL/TLS certificates of a number of types, including [[Extended Validation Certificate]]s. [[Let's Encrypt]], launched in April 2016,<ref name="softpedia-launch">{{cite web |url=https://news.softpedia.com/news/let-s-encrypt-launched-today-currently-protects-3-8-million-domains-502857.shtml |title=Let's Encrypt Launched Today, Currently Protects 3.8 Million Domains |publisher=Softpedia News |first=Catalin |last=Cimpanu |date=12 April 2016 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20190209055129/https://news.softpedia.com/news/let-s-encrypt-launched-today-currently-protects-3-8-million-domains-502857.shtml |archive-date=9 February 2019 |url-status=live }}</ref> provides free and automated service that delivers basic SSL/TLS certificates to websites.<ref>{{cite web |url=http://www.eweek.com/security/let-s-encrypt-effort-aims-to-improve-internet-security |title=Let's Encrypt Effort Aims to Improve Internet Security |publisher=Quinstreet Enterprise |website=eWeek.com |date=18 November 2014 |access-date=20 October 2018 |last=Kerner |first=Sean Michael |archive-date=2 April 2023 |archive-url=https://web.archive.org/web/20230402154948/https://www.eweek.com/security/let-s-encrypt-effort-aims-to-improve-internet-security/ |url-status=live }}</ref> According to the [[Electronic Frontier Foundation]], Let's Encrypt will make switching from HTTP to HTTPS "as easy as issuing one command, or clicking one button."<ref>{{cite web |url=https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web |title=Launching in 2015: A Certificate Authority to Encrypt the Entire Web |publisher=[[Electronic Frontier Foundation]] |date=18 November 2014 |access-date=20 October 2018 |last=Eckersley |first=Peter |archive-url=https://web.archive.org/web/20181118160126/https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web |archive-date=18 November 2018 |url-status=live }}</ref> The majority of web hosts and cloud providers now leverage Let's Encrypt, providing free certificates to their customers. ====Use as access control==== The system can also be used for client [[authentication]] in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, which the user loads into their browser. Normally, the certificate contains the name and e-mail address of the authorized user and is automatically checked by the server on each connection to verify the user's identity, potentially without even requiring a password. ====In case of compromised secret (private) key==== An important property in this context is [[forward secrecy|perfect forward secrecy]] (PFS). Possessing one of the long-term asymmetric secret keys used to establish an HTTPS session should not make it easier to derive the short-term session key to then decrypt the conversation, even at a later time. [[Diffie–Hellman key exchange]] (DHE) and [[Elliptic-curve Diffie–Hellman]] key exchange (ECDHE) are in 2013 the only schemes known to have that property. In 2013, only 30% of Firefox, Opera, and Chromium Browser sessions used it, and nearly 0% of Apple's [[Safari (web browser)|Safari]] and [[Internet Explorer|Microsoft Internet Explorer]] sessions.<ref name=ecdhe/> TLS 1.3, published in August 2018, dropped support for ciphers without forward secrecy. {{As of|2019|02|df=US}}, 96.6% of web servers surveyed support some form of forward secrecy, and 52.1% will use forward secrecy with most browsers.<ref>{{cite web |author1=Qualys SSL Labs |title=SSL Pulse |url=https://www.ssllabs.com/ssl-pulse/ |access-date=25 February 2019 |archive-url=https://web.archive.org/web/20190215213454/https://www.ssllabs.com/ssl-pulse/ |archive-date=15 February 2019 |format=3 February 2019|author1-link=Qualys }}</ref> {{As of|2023|07|df=US}}, 99.6% of web servers surveyed support some form of forward secrecy, and 75.2% will use forward secrecy with most browsers.<ref>{{Cite web |title=Qualys SSL Labs - SSL Pulse |url=https://www.ssllabs.com/ssl-pulse/ |access-date=2023-09-04 |website=www.ssllabs.com}}</ref> =====Certificate revocation===== {{main|Certificate revocation}} A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as [[Firefox]],<ref>{{cite web |url=https://www.mozilla.org/en-US/privacy/ |title=Mozilla Firefox Privacy Policy |publisher=[[Mozilla Foundation]] |date=27 April 2009 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20181018063732/https://www.mozilla.org/en-US/privacy/ |archive-date=18 October 2018 |url-status=live }}</ref> [[Opera (web browser)|Opera]],<ref>{{cite news |url=https://news.softpedia.com/news/Opera-8-launched-on-FTP-1330.shtml |title=Opera 8 launched on FTP |publisher=[[Softpedia]] |date=19 April 2005 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20190209055128/https://news.softpedia.com/news/Opera-8-launched-on-FTP-1330.shtml |archive-date=9 February 2019 |url-status=live }}</ref> and [[Internet Explorer]] on [[Windows Vista]]<ref>{{cite web |last=Lawrence |first=Eric |date=31 January 2006 |url=https://docs.microsoft.com/en-us/previous-versions/aa980989(v=msdn.10) |title=HTTPS Security Improvements in Internet Explorer 7 |website=[[Microsoft Docs]] |access-date=24 October 2021 |archive-date=24 October 2021 |archive-url=https://web.archive.org/web/20211024181937/https://docs.microsoft.com/en-us/previous-versions/aa980989(v=msdn.10) |url-status=live }}</ref> implement the [[Online Certificate Status Protocol]] (OCSP) to verify that this is not the case. The browser sends the certificate's serial number to the certificate authority or its delegate via OCSP (Online Certificate Status Protocol) and the authority responds, telling the browser whether the certificate is still valid or not.<ref>{{cite web |url=https://tools.ietf.org/html/rfc2560 |title=Online Certificate Status Protocol – OCSP |publisher=[[Internet Engineering Task Force]] |date=20 June 1999 |last1=Myers |first1=Michael |last2=Ankney |first2=Rich |last3=Malpani |first3=Ambarish |last4=Galperin |first4=Slava |last5=Adams |first5=Carlisle |doi=10.17487/RFC2560 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20110825095059/http://tools.ietf.org/html/rfc2560 |archive-date=25 August 2011 |url-status=live }}</ref> The CA may also issue a [[Certificate revocation list|CRL]] to tell people that these certificates are revoked. CRLs are no longer required by the CA/Browser forum,<ref>{{cite web |url=https://cabforum.org/baseline-requirements-documents/ |title=Baseline Requirements |date=4 September 2013 |publisher=CAB Forum |access-date=1 November 2021 |url-status=live |archive-date=20 October 2014 |archive-url=https://web.archive.org/web/20141020234802/https://cabforum.org/baseline-requirements-documents/ }}</ref>{{Update inline|date=April 2025|reason=CRLs are actually required.}} nevertheless, they are still widely used by the CAs. Most revocation statuses on the Internet disappear soon after the expiration of the certificates.<ref name=RS_1>{{cite book| author1=Korzhitskii, N.| author2=Carlsson, N.| title=Passive and Active Measurement| chapter=Revocation Statuses on the Internet| series=Lecture Notes in Computer Science| date=30 March 2021| volume=12671| pages=175–191| doi=10.1007/978-3-030-72582-2_11| arxiv=2102.04288| isbn=978-3-030-72581-5}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)