Https
Un article de Vev.
← Version précédente | Version suivante →
Modèle:Lowercase https is a URI scheme used to indicate a secure HTTP connection. It is syntactically identical to the http:// scheme normally used for accessing resources using HTTP. Using an https: URL indicates that HTTP is to be used, but with a different default TCP port (443) and an additional encryption/authentication layer between the HTTP and TCP. This system was designed by Netscape Communications Corporation to provide authentication and encrypted communication and is widely used on the World Wide Web for security-sensitive communication such as payment transactions and corporate logons.
Sommaire |
How it works
Strictly speaking, https is not a separate protocol, but refers to the combination of a normal HTTP interaction over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks.
An https: URL may specify a TCP port; if it does not, the connection uses port 443 (unsecured HTTP typically uses port 80).
www.openssl.org/contrib/</ref> or SuSE's gensslcert. This certificate must be signed by a certificate authority of one form or another, which certifies that the certificate holder is indeed the entity it claims to be. Web browsers are generally distributed with the signing certificates of major certificate authorities, so that they can verify certificates signed by them.//www.openssl.org/contrib/</ref> or SuSE's gensslcert. This certificate must be signed by a certificate authority of one form or another, which certifies that the certificate holder is indeed the entity it claims to be. Web browsers are generally distributed with the signing certificates of major certificate authorities, so that they can verify certificates signed by them.
Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet), as they can trivially add their own signing certificate to those shipped with the browser.
Some sites, especially those operated by hobbyists, use self-signed certificates on public sites. Using these provides protection against simple eavesdropping, but unlike a well-known certificate, preventing a man-in-the-middle attack with a self-signed certificate requires the site to make available some other secure method of verifying the certificate.
The system can also be used for client authentication, in order to restrict access to a Web server to only authorized users. For this, typically the site administrator creates certificates for each user which are loaded into their browser. These normally contain the name and e-mail address of the authorized user, and are automatically checked by the server on each reconnect to verify the user's identity, potentially without ever entering a password.
Limitations
The level of protection depends on the correctness of the implementation by the web browser and the server software and the actual cryptographic algorithms supported.
spaf.cerias.purdue.edu/presents/Dist0203.pdf</ref>//spaf.cerias.purdue.edu/presents/Dist0203.pdf</ref>
Because SSL operates below http and has no knowledge of higher level protocols, SSL servers can only present one certificate for a particular IP/port combination. This means that in most cases it is not feasible to use name-based virtual hosting with HTTPS.
References
See also
- Computer security
- AAA protocol
- List of file transfer protocols
- Secure hypertext transfer protocol, an alternative to https that is not widely supported (defined in RFC 2660)
External links
wp.netscape.com/eng/ssl3/draft302.txt Netscape’s SSL 3.0 Specification]//wp.netscape.com/eng/ssl3/draft302.txt Netscape’s SSL 3.0 Specification] wp.netscape.com/eng/ssl3/draft302.txt Netscape’s SSL 3.0 Specification]//www.apache-ssl.org/ Apache-SSL homepage] (No longer actively developed) wp.netscape.com/eng/ssl3/draft302.txt Netscape’s SSL 3.0 Specification]//httpd.apache.org/docs/2.2/ssl/ Apache 2.2 mod_ssl documentation]
- RFC 2818 - HTTP Over TLS
Modèle:URI schemeca:HTTPS cs:HTTPS da:HTTPS de:Hypertext Transfer Protocol Secure el:HTTPS es:HTTPS eu:HTTPS fr:Hypertext Transfer Protocol#HTTPS ko:HTTPS id:HTTPS it:HTTPS nl:HTTPS ja:HTTPS no:HTTPS pl:HTTPS pt:HTTPS ro:HTTPS ru:HTTPS sk:HTTPS fi:HTTPS sv:HTTPS tr:HTTPS uk:HTTPS zh:Https
