Several websites, such as neverssl.com and nonhttps.com, guarantee that they will always remain accessible by HTTP. ==History== Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.
As SSL evolved into Transport Layer Security (TLS), HTTPS was formally specified by RFC 2818 in May 2000.
In situations where encryption has to be propagated along chained servers, session timeOut management becomes extremely tricky to implement. Security is maximal with mutual SSL/TLS, but on the client-side there is no way to properly end the SSL/TLS connection and disconnect the user except by waiting for the server session to expire or by closing all related client applications. A sophisticated type of man-in-the-middle attack called SSL stripping was presented at the 2009 Blackhat Conference.
In May 2010, a research paper by researchers from Microsoft Research and Indiana University discovered that detailed sensitive user data can be inferred from side channels such as packet sizes.
While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures drew attention to certificate authorities as a potential weak point allowing man-in-the-middle attacks.
Diffie–Hellman key exchange (DHE) and Elliptic curve Diffie–Hellman key exchange (ECDHE) are in 2013 the only schemes known to have that property.
In 2013, only 30% of Firefox, Opera, and Chromium Browser sessions used it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions.
In 2016, a campaign by the Electronic Frontier Foundation with the support of web browser developers led to the protocol becoming more prevalent.
Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them. ====Acquiring certificates==== A number of commercial certificate authorities exist, offering paid-for SSL/TLS certificates of a number of types, including Extended Validation Certificates. Let's Encrypt, launched in April 2016, provides free and automated service that delivers basic SSL/TLS certificates to websites.
TLS 1.3, published in August 2018, dropped support for ciphers without forward secrecy.
Google announced in February 2018 that its Chrome browser would mark HTTP sites as "Not Secure" after July 2018.
All text is taken from Wikipedia. Text is available under the Creative Commons Attribution-ShareAlike License .
Page generated on 2021-08-05