Understand HTTPS

What is HTTPS ?

HTTPS (also called HTTP over TLS, HTTP over SSL and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
In its popular deployment on the internet, HTTPS provides authentication of the website and associated web server with which one is communicating, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an impostor), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.
Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s, HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.
Complete description on Wikipedia...

Who is using HTTPS ?

    Many web sites are using HTTPS, here are some examples:
  • YouTube
  • GMail
  • Google Play Store
  • iTunes
  • Facebook
  • Twitter
  • Linkedin
  • Wikipedia
  • Github
  • Dropbox
  • etc...
    Who is doing what ?
  • 99% of Google services are using HTTPS (YouTube, GMail, Google Music, etc...), soon it will be 100%.
  • With Apple, iTunes only is HTTPS. iOS upgrades and Apple Apps are normal HTTP.
  • 100% of Microsoft Windows Update are HTTP.
  • Very few porn sites are using HTTPS.

How does HTTPS work ?

Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software. Certificate authorities (such as Symantec, Comodo, GoDaddy and GlobalSign) are in this way being trusted by web browser creators to provide valid certificates. Therefore, a user should trust an HTTPS connection to a website if and only if all of the following are true:
  • The user trusts that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities.
  • The user trusts the certificate authority to vouch only for legitimate websites.
  • The website provides a valid certificate, which means it was signed by a trusted authority.
  • The certificate correctly identifies the website.
  • The user trusts that the protocol's encryption layer (SSL/TLS) is sufficiently secure against eavesdroppers.
More on Wikipedia...

Can HTTPS be cacked ?

Let's say we are not all the US National Security Agency...
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are in widespread use in applications such as web browsing, email, Internet faxing, instant messaging and voice-over-IP (VoIP).
Major web sites use TLS/SSL to secure all communications between their servers and web browsers.
Transport Layer Security on Wikipedia...

Any solution to cache HTTPS ?

Today, with proxy caches, the only solution for decrypting and caching HTTPS is to use Man-In-The-Middle techno.
With our products, we do HTTPS Interception by using a self-signed SSL certificat. This certificate must be deployed with all browsers (IE, Chrome, Firefox, etc...) in the Trusted Authorities container.
If you are an ISP, deploying this certificate to all your users is not really realistic.
  • Using the certificat in transparent is not possible at the moment.
  • Using the certificat with routers/gateways does not work.
If you are a company and you need to deploy the certificate to all your employees, you should use your Microsoft ActiveDirectory.
Once the SSL certificate deployed, you will decrypt and cache all HTTPS traffic...