A brief intro to HTTPS

Thameera Senanayaka

Oliv Labs

HTTP

• Hypertext Transfer Protocol
• A request-response protocol

• Initial draft in 1989
• HTTP/1.1 in 1997
• HTTP/2 in 2015

Demo - HTTP/1.1 and HTTP/2

http://nextpoyawhen.com

HTTPS

• HTTP over TLS (Transport Layer Security)
• Previously: HTTP over SSL (Secure Sockets Layer)
• Uses port 443
• Protects against Man-in-the-Middle attacks

Demo

https://olivlabs.com

Browser warnings

DEMO: WP login, Redmine

EV Certificates

• Extended Validation Certificates
• CAs need to verify the legal identity, etc of the company/website
• DEMO: github.com

Support in different browsers

HTTPs certificates

• Should be obtained from a Certificate Authority (CA)
  • eg: Comodo, DigiCert
• Has an expiry date
• Is valid for only one or more domains/sub-domains
• Server sends the cert to the browser initially

Non-secure origins

• All content should be https.
• Mixed-content errors/warnings given otherwise.
• DEMO: http://ddd.co.jp
• Use CSP (Content-Security-Policy) header

  • upgrade-insecure-requests

Barriers to HTTPS

• Cost
  • Let's Encrypt
• Speed
  • Gmail: Only 1% of CPU load contributes to HTTPS.

  • http://www.httpvshttps.com/

  • http://caniuse.com/#search=http%2F2

• Complexity of installing and renewing

  • Certbot

Redirecting HTTP to hTTPS

DEMO: http://olivlabs.com

HSTS

• HTTP Strict Transport Security

• strict-transport-security header

• 307 response code
• DEMO: http://olivlabs.com
• Preload HSTS

Thank you!