Chapter 1. Orientation

Table of Contents
1.1. What is HTTPS?
1.2. What does HTTPS give you?
1.3. A heads-up about security in general
1.4. The problem with politics

1.1. What is HTTPS?

HTTP (no "S") is the protocol spoken between web browsers and web servers. It is used to submit requests from browsers to servers and to carry responses back. In addition to carrying the raw documents, HTTP also carries "meta information" about those documents - size, document type, expiry date, etc. HTTP uses the IP protocol family's TCP layer to provide the browser-server communication. HTTP can be visualised as running "on top of" TCP, which in turn runs "on top of" IP.

Because of their birth in academic collaboration, neither HTTP nor TCP provide much in the way of security. HTTP traffic travels as clear text across the communication networks where it can easily be intercepted. TCP connections are made to hosts only identified by network names that are relatively easily subverted. The only standard facilities for identifying users depend on transmitting user names and passwords in clear with every request. While all this is fine when accessing the majority of web content - which is in any case freely available - it is unsuitable for those applications where any sort of security or confidentiality is required. HTTPS is HTTP running on top of either the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) protocol. These sit between an application protocol and the TCP layer and provide additional security features.

The interface between an application protocol and TLS or SSL is modelled on that between an application protocol and plain TCP. This makes it fairly straightforward to add TLS or SSL functionality to existing programs and so they are often used to secure protocols other than HTTP, such as POP (the Post Office Protocol), IMAP (Internet Message Access Protocol), SMTP (the Simple Mail Transport Protocol) and LDAP (Lightweight Directory Access Protocol). Note however that SSH (the "Secure Shell") does not use TLS or SSL though it uses similar cryptographic components. Use of HTTPS can be recognised by "https://..." URLs and key or closed padlock icons in common browsers. Recent versions of Firefox turn the browser address bar yellow when accessing sites using HTTPS.

SSL was originally developed by Netscape and released as SSL version 2. It was significantly redeveloped to form SSL version 3, and then further developed and documented in RFC2246 as TLS. There are significant differences between these three variants (in particular between SSL v2 and SSL v3) but it is possible for implementations to inter-operate providing they share support for at least one variant. We will refer to the whole family as TLS throughout the rest of this document.