LLMpediaThe first transparent, open encyclopedia generated by LLMs

Hypertext Transfer Protocol Secure

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: World Wide Web Hop 2
Expansion Funnel Raw 79 → Dedup 38 → NER 35 → Enqueued 26
1. Extracted79
2. After dedup38 (None)
3. After NER35 (None)
Rejected: 3 (not NE: 3)
4. Enqueued26 (None)
Similarity rejected: 2
Hypertext Transfer Protocol Secure
Hypertext Transfer Protocol Secure
IETF HTTP Working Group (HTTPbis) · Public domain · source
NameHypertext Transfer Protocol Secure
AbbreviationHTTPS
Introduced1994
DeveloperNetscape Communications Corporation
Based onHypertext Transfer Protocol
RelatedTransport Layer Security, Secure Sockets Layer, Internet Engineering Task Force, World Wide Web Consortium
Initial release1994
Stable releaseTLS 1.3 (RFC 8446)
WebsiteWikimedia

Hypertext Transfer Protocol Secure is an application-layer protocol design that provides encrypted communication and secure identification for networked devices. It combines the semantics of Hypertext Transfer Protocol with cryptographic protocols such as Transport Layer Security and predecessor Secure Sockets Layer to offer confidentiality, data integrity, and authentication for interactions among clients and servers. Widely adopted across sites and services including Google, Facebook, Amazon (company), Wikipedia, and Twitter, it is foundational to secure web transactions, online banking with Bank of America, e‑commerce on eBay, and sensitive government portals like IRS (United States).

Overview

HTTPS operates by layering cryptographic protocols beneath HTTP request/response semantics, enabling protected communication between user agents (browsers like Google Chrome, Mozilla Firefox, Safari (web browser), Microsoft Edge) and origin servers hosted by providers such as Amazon Web Services, Cloudflare, Akamai Technologies, and Fastly. Major certificate authorities including DigiCert, Let's Encrypt, Comodo, GlobalSign, and Entrust issue digital certificates used for server authentication, while standards bodies like the Internet Engineering Task Force and the World Wide Web Consortium publish specifications guiding interoperability. Enterprises, regulatory bodies like European Commission, and standards-driven projects such as OpenSSL, BoringSSL, GnuTLS, and LibreSSL contribute implementations and libraries.

History and development

The genesis traces to work by Netscape Communications Corporation in the 1990s when Marc Andreessen and engineers introduced Secure Sockets Layer to secure early web commerce; subsequent cryptographers and standards groups moved development into the Internet Engineering Task Force where Transport Layer Security replaced SSL after analysis by contributors including Philipp Resch, Tim Dierks, and Eric Rescorla. High‑profile events—such as the adoption of HTTPS by PayPal, the HTTPS Everywhere campaign led by the Electronic Frontier Foundation, and public incidents like breaches affecting Equifax and the Sony Pictures Entertainment hack—shifted industry practice toward encryption by default. The response to vulnerabilities introduced timelines involving RFC 6101 and eventual stabilization in RFC 5246 and RFC 8446 producing TLS 1.2 and TLS 1.3, respectively.

Technical architecture and protocol

At the protocol level, HTTPS uses the TCP/IP stack and negotiates cryptographic parameters during a handshake phase implemented by TLS; implementations perform asymmetric key agreement using algorithms from standards referenced by NIST, such as RSA (cryptosystem), Elliptic-curve cryptography, and Diffie–Hellman key exchange. Certificate chains rely on the X.509 standard maintained by International Telecommunication Union frameworks and are validated against root stores curated by vendors like Apple Inc., Microsoft Corporation, and Google (company). Handshake messages negotiate cipher suites (e.g., AES, ChaCha20) and hash functions like SHA-256; session resumption mechanisms employ tickets standardized by the IETF to reduce latency. Operational components encompass reverse proxies (e.g., NGINX, HAProxy), web servers (Apache HTTP Server, IIS), and content delivery networks operated by Cloudflare.

Security mechanisms and vulnerabilities

Security properties include confidentiality via symmetric encryption, integrity via message authentication codes or AEAD constructions, and authentication through certificate validation chains issued by certificate authorities such as Lets Encrypt and DigiCert. Critical attack vectors have included protocol downgrades exploited by actors in incidents like the FREAK attack and the POODLE attack, certificate authority compromise exemplified by events involving Comodo and state‑level interception documented in reports about surveillance by NSA and other intelligence agencies. Defenses include HSTS headers adopted by sites like GitHub and Twitter, certificate transparency logs promoted by Google, and automated certificate issuance by Let's Encrypt to reduce misissuance. Cryptographic transitions—such as deprecating RSA key exchange, removing support for RC4, and migrating to TLS 1.3—address past weaknesses exposed by academic research from teams at Stanford University, MIT, and University of California, Berkeley.

Deployment and configuration

Deploying HTTPS involves obtaining a certificate from a trusted CA, configuring server software (for example Apache HTTP Server or NGINX) with appropriate private keys, and setting secure cipher suites and protocol versions in line with guidance from Mozilla Foundation and IETF recommendations. Large platforms like Cloudflare, Akamai Technologies, and Fastly provide managed TLS termination; enterprises integrate with identity providers such as Okta and Microsoft Azure Active Directory for mutual TLS and client certificate use. Operational practices include key rotation, OCSP stapling supported by OpenSSL implementations, and monitoring via services from New Relic and Datadog to detect certificate expiry or misconfiguration.

Performance and compatibility

Performance considerations balance cryptographic overhead against latency; optimizations include TLS 1.3 zero‑round‑trip resumption, session tickets, HTTP/2 multiplexing standardized by the IETF, and QUIC transport developed by Google and standardized in the IETF as HTTP/3. Mobile ecosystems like Android (operating system) and iOS incorporate platform TLS stacks with hardware acceleration on devices from Qualcomm and Apple Inc. Browser compatibility matrices maintained by projects like Can I use and vendor documentation from Mozilla Corporation and Microsoft guide web developers in progressive enhancement to support older clients while promoting modern ciphers. Performance tooling and audits from Akamai Technologies, Cloudflare, and Pingdom help sites optimize handshake costs and ensure broad interoperability.

Category:Internet protocols