I wanted to write these interconnected topics in a single article. The differences of the http and https protocols written at the beginning of the links of the web addresses that we frequently encounter in our daily lives determine the reliability criteria.
Protocols are agreements signed between the two parties to determine rules to be followed. In the informatics world, digital communication rules are determined between the two platforms. Data is sent and received with the sender and receiver according to the protocol rules.
“Http“, which is created by combining the initials of the words “Hypet Text Transfer Protocol“, determines the rules of data transfer between the website and the web browser.
Protocol types are not just HTTP and HTTPS. Each protocol has communication ports. HTTP protocol transfers data on port 80.
HTTP protocol is at the beginning of the website in the address line of each web browser. The web address http://www.gunalp.com here indicates the HTTP, protocol type.
HTTPS can simply be called the secure version of the HTTP protocol. This is the connection between the website and the device through a secure channel.
In HTTPS connection, the data passed between the server and the browser is encrypted over the transport layer security shortened as “TLS” or encrypted over the secure socket layer called “SSL”. In other words, HTTPS protocol will not work without SSL / TLS certificate. In short, since data transferred from the server is encrypted with the use of HTTPS, there is data privacy. HTTPS protocol transfers data over port 443.
It can be called SSL / TLS with the word open. Because SSL, This technology is outdated today and completely replaced by TLS. This term is the abbreviation of Transport Layer Security and provides data privacy just like SSL. This is the correct term that people should start using because SSL is no longer used. But we will say SSL 🙂 The website needs an SSL certificate to use the HTTPS protocol. SSL certificate briefly; It is used to verify the identity of the website to be linked.
They work by digitally linking the identity information of the website owner with a cryptographic encrypted key. Data is encrypted so that data transfers cannot be decrypted by third parties.
SSL / TLS certificate works by creating private encrypted keys in each secure session along with both a private and public encrypted key. When the visitor enters an SSL-safe address in his browser or arrives through a secure page, the browser and the web server create a connection. During the first connection, a session key is created using public and private keys and used to encrypt and decrypt the transferred data. This session key is valid for a limited time and can only be used for the private session in which it was created.
You can tell if a website is using SSL certificate by checking if there is a green bar or lock icon at the top of your browser. By clicking this icon, you can view certificate information and make SSL settings.
The communication steps that take place between a web browser and the server over the HTTPS protocol are as follows.
1- A request is sent to the server from the internet browser over the HTTPS protocol.
2- The server sends a certificate containing public-key, which specifies its own encryption method, to the client device.
3- Client web browser, certificate:
- Whether it is produced by a secure CA,
- Whether the certificate is still valid,
- Checks whether the certificate belongs to the relevant site.
4- Web browser sends the data to the server by encrypting the data symmetrically using the password key. The server accesses the data by solving the symmetric password with the help of a private key. The server encrypts the html document to the client and sends it back. The client device’s web browser decrypts and displays it as an html document.
SSL Certificate Types
There are different types of SSL certificates, which are paid and free alternatives, in terms of usage. It is important what purpose the website serves when choosing SSL certificate.
Dv SSL (Domain Validation)
All of the instant SSL certificates and free SSL certificates are DV SSL certificates. In this certificate type, only the domain name is verified. Referred to as the “Domain Verified Certificate”.
After the information provided by the hosting company is automatically confirmed, the certificate is installed. Using DV SSL is the cheapest and fastest way to have an SSL certificate. AutoSSL (Let’s Encrypt) Certificate is the best example.
Ov SSL (Organization Validation)
If you want to buy an SSL certificate, if the company that provides the certificate gives you a few days for the installation period, that certificate is most likely OV SSL, namely the “Organization Approved” SSL certificate. In OV SSL certificate, your data is not only encrypted, it is also confirmed whether the site you are visiting is a real company.
Company authorized to provide OV SSL certificate verifies the telephone number, physical address, Whois information of the organization, whether the applicant is authorized to decide on behalf of the company. Therefore, the OV SSL certificate can give more confidence to a consumer checking the certificate.
Ev SSL (Extended Validation)
In EV SSL certificate, which is the most secure SSL certificate in the market preferred by companies; More verification processes are performed than OVL SSL certificates.
In order to have an EV SSL, the company that provides the SSL certificate checks whether your website is legal. For example, it is not possible to get EV SSL to a warez content website.
This certificate, which has reduced demand due to browsers like Chrome removing the bar called “green bar“, is the most expensive SSL certificate.
Wilcard SSL Certificate
It allows you to get SSL certificate for all subdomains in your domain. If you want SSL certificate for all your subdomains, you should choose Wilcard SSL Certificates.
Multi – Domain SSL Certificate
It is preferred by the webmaster that hosts more than one website. These SSL certificates installed on the server can be used in all domains on the server. It is preferred because it saves money.
When to Use an SSL Certificate?
SSL / TLS is absolutely necessary where sensitive information such as usernames and passwords or payment information will be transferred.
Three main reasons why SSL / TLS is mandatory for your website are;
- When you need authentication,
- For security purposes for eCommerce sites,
- In some sectors, such as the financial sector, it is necessary to have a certain level of security system. Also, if you want to accept credit card information on your website, you must follow the Payment Card Industry (PCI) standards. One of these requirements is SSL / TLS certificate.
SSL certificate can be used on almost any device, which means it is a versatile trust tool in today’s multi-mobile world.
Transport Layer Securityhttps://tr.wikipedia.org/wiki/Transport_Layer_Security
What is SSL/TLS and HTTPS?https://www.hostinger.com/tutorials/what-is-ssl-tls-https