Why HTTPS Matters: Understanding SSL/TLS, Certificates, and Secure Migration

Introduction

Before discussing HTTPS, it is useful to recall that HTTP is a stateless, simple, TCP‑based protocol that transmits data in clear text.

Because HTTP sends information unencrypted, it suffers from serious security risks such as eavesdropping, tampering, and impersonation, especially on untrusted networks like public Wi‑Fi.

HTTPS Overview

HTTPS solves these problems by inserting an encryption layer (SSL/TLS) between TCP and HTTP, ensuring that data is encrypted during transmission while the HTTP layer still receives plaintext.

SSL was originally developed by Netscape; TLS 1.0 is its IETF‑standardized successor.

Advantages

For implementation details see Ruanyifeng’s overview of the SSL/TLS protocol operation.

HTTP Risks

Eavesdropping: third parties can read the communication content.

Tampering: third parties can modify the communication content.

Impersonation: third parties can pose as the other party.

HTTPS Solutions

All information is transmitted encrypted, preventing eavesdropping.

Integrity checks detect any tampering immediately.

Digital certificates bind identities to public keys, preventing impersonation.

Implementation

Encryption uses two main algorithms:

Symmetric encryption: the same key encrypts and decrypts data; fast but vulnerable if the key is leaked.

Asymmetric encryption: a public key encrypts data and a private key decrypts it; more secure but computationally heavier.

Because performing asymmetric operations for every request would degrade performance, HTTPS typically establishes a session key using asymmetric cryptography once, then uses symmetric encryption for the bulk of the data transfer.

The session key is generated after both parties agree on the SSL/TLS version and exchange random numbers. To protect the random numbers, the client encrypts a third random value with the server’s public key; only the server can decrypt it, ensuring a secure session key.

To prevent man‑in‑the‑middle attacks, the server presents a digital certificate issued by a trusted Certificate Authority (CA). The certificate contains the domain name, public key, and validation data, allowing the client to verify the server’s identity.

Certificate Types by Validation Level

Domain Validation (DV): verifies control of the domain only.

Organization Validation (OV): includes verified organization information.

Extended Validation (EV): provides the highest assurance with organization details shown in the browser address bar.

Certificate Types by Coverage

Single‑domain SSL certificate: protects one specific domain.

Wildcard SSL certificate: protects a domain and all its subdomains.

Multi‑domain SSL certificate: protects multiple distinct domains.

Migration Tips from HTTP to HTTPS

Obtain an appropriate certificate from a CA.

Open port 443 on the server and configure the certificate. Example Nginx configuration:

server {
    listen 443;
    server_name localhost;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate cert/证书文件.pem;
    ssl_certificate_key cert/证书私钥.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

Redirect all HTTP (port 80) traffic to HTTPS.

Cache session keys to reduce CPU load, e.g.:

http {
    # configure shared session cache size
    ssl_session_cache shared:SSL:10m;
    # configure session timeout
    ssl_session_timeout 10m;
    ...
}

Conclusion

The article provides a straightforward overview of HTTPS, its encryption mechanisms, certificate types, and practical migration steps, without delving into complex cryptographic formulas.