3. February 2014
In contrast to the plain text HTTP protocol, HTTPS (HTTP over TLS/SSL) is a bidirectional tunnelling protocol used to tunnel insecure protocol (HTTP) over a secure tunnel (using TLS/SSL).
If we were to ask a developer to list the benefits of TLS/SSL, they would probably start with privacy via encryption and they would be correct. However, encryption is not TLS/SSL's only benefit.
Prior to providing us with encryption, a connection using TLS/SSL will guarantee the following:
- Authentication. When a client (browser or any other medium) attempts to establish a connection with a server (web or any other type of server) using HTTPS, after the initial handshake, a copy of the site's certification is sent to the browser. The certificate will always contain the site's domain name and other information like the expiry and issuing dates. The browser will then compare the site's domain name with the Common Name (CN) included in the certificate. If they don't match, it will treat it as an imposer or consider the site as a phishing site and warn the user.
- Integrity protection. Any data exchanged between the client and the server cannot be modified by a man in the middle attack.
- Replay Protection. Packets exchanged between the client and the server cannot be replayed. If I were to issue a payment or a refund for $500.00 for a client, no one can sniff the packets and replay them multiple times to duplicate the payment.
- Privacy & Confidentiality. All packets exchanged between client and server are encrypted and safe from the man in the middle attack.