CASE STUDY

Name of the Students:

1. Gaurang Gawas - 2021201071
2. Suyash Bargal - 2021201075
3. Virender Mahajan - 2021201079

SEM: 6th
Department: EXTC
DATE OF UPLOAD: 15/4/23

CASE Study Statement:

How is it different from HTTP? How must the server be set up for HTTPS transactions? How
would it protect you from using a public Wi-Fi connection at a local coffee shop? Should all Web
traffic be required to use HTTPS? Why or why not? Write a one-page paper on your research.

Abstract:
HTTPS is a commonly used protocol to secure web service communications. This research paper
would serve as the single point of reference for PKI administrators or others who are managing
web servers for their respective corporates and want to configure HTTPS for secure
communication. It also covers Web authentication and authorization and the Role of HTTP, and
HTTPS Protocol in networking mainly emphasizes the rules to communicate with the web and the
roles of different users to access web applications using HTTP and HTTPS Protocol. The Paper
also gives the difference between HTTP and HTTPS protocols, and the role they play in
Networking.

Literature review, images, graphs, etc., with sequential citations to references

Introduction:
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer
Protocol (HTTP). It uses encryption for secure communication over a computer network and
is widely used on the Internet. In HTTPS, the communication protocol is encrypted
using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol
is therefore also referred to as HTTP over TLS or HTTP over SSL.
The principal motivations for HTTPS are authentication of the accessed website and
protection of the privacy and integrity of the exchanged data while it is in transit. It protects
against man-in-the-middle attacks, and the bidirectional block cipher encryption of
communications between a client and server protects the communications
against eavesdropping and tampering. The authentication aspect of HTTPS requires a trusted
third party to sign server-side digital certificates. This was historically an expensive operation,
which meant fully authenticated HTTPS connections were usually found only on secured
payment transaction services and other secured corporate information systems on the World
Wide Web. In 2016, a campaign by the Electronic Frontier Foundation with the support
of web browser developers led to the protocol becoming more prevalent. HTTPS is now used
more often by web users than the original, non-secure HTTP, primarily to protect page
authenticity on all types of websites, secure accounts, and keep user communications, identity,
and web browsing private.

HTTPS uses an encryption protocol to encrypt communications. The protocol is

called Transport Layer Security (TLS), although formerly it was known as Secure Sockets
Layer (SSL). This protocol secures communications by using what’s known as an asymmetric
public key infrastructure. This type of security system uses two different keys to encrypt
communications between two parties:

1. The private key - this key is controlled by the owner of a website and it’s kept, as
the reader may have speculated, private. This key lives on a web server and is
used to decrypt information encrypted by the public key.

2. The public key - this key is available to everyone who wants to interact with the
server securely. Information that's encrypted by the public key can only be
decrypted by the private key.

How is HTTPS different from HTTP?

Technically speaking, HTTPS is not a separate protocol from HTTP. It is simply using
TLS/SSL encryption over the HTTP protocol. HTTPS occurs based upon the transmission
of TLS/SSL certificates, which verify that a particular provider is who they say they are.

When a user connects to a webpage, the webpage will send over its SSL certificate which
contains the public key necessary to start the secure session. The two computers, the client
and the server, then go through a process called an SSL/TLS handshake, which is a series of
back-and-forth communications used to establish a secure connection.

HTTPS adds encryption, authentication, and integrity to the HTTP protocol:

Encryption: Because HTTP was originally designed as a clear text protocol, it is vulnerable
to eavesdropping and man-in-the-middle attacks. By including SSL/TLS encryption, HTTPS
prevents data sent over the internet from being intercepted and read by a third party.
Through public-key cryptography and the SSL/TLS handshake, an encrypted communication
session can be securely set up between two parties who have never met in person (e.g. a web
server and browser) via the creation of a shared secret key.

Authentication: Unlike HTTP, HTTPS includes robust authentication via the SSL/TLS

protocol. A website’s SSL/TLS certificate includes a public key that a web browser can use
to confirm that documents sent by the server (such as HTML pages) have been digitally
signed by someone in possession of the corresponding private key. If the server’s certificate
has been signed by a publicly trusted certificate authority (CA), such as SSL.com, the browser
will accept that any identifying information included in the certificate has been validated by a
trusted third party.

HTTPS websites can also be configured for mutual authentication, in which a web browser
presents a client certificate identifying the user. Mutual authentication is useful for situations
such as remote work, where it is desirable to include multi-factor authentication, reducing the
risk of phishing or other attacks involving credential theft. For more information on
configuring client certificates in web browsers, please read this how-to.

Integrity: Each document (such as a web page, image, or JavaScript file) sent to a browser by
an HTTPS web server includes a digital signature that a web browser can use to determine
that the document has not been altered by a third party or otherwise corrupted while in transit.
The server calculates a cryptographic hash of the document's contents, including its digital
certificate, which the browser can independently calculate to prove that the document's
integrity is intact.
Taken together, these guarantees of encryption, authentication, and integrity make
HTTPS a much safer protocol for browsing and conducting business on the web than
HTTP.

The following figure illustrates the difference between communication over HTTP and
HTTPS:

How must the server be set up for HTTPS transactions?

To set up a server for HTTPS transactions, you will need to perform the following steps:
 1. Buy an SSL certificate.

2. Request the SSL certificate.

3. Install the certificate.

4. Update your site to enable HTTPS.

1. Grab Your SSL Certificate:

Enabling HTTPS on your website doesn't only protect the integrity of your data. HTTPS is
also a requirement for many new browser features. Not only that, but it makes your visitors
feel more secure whenever they visit your site. These are important reasons your site needs an
SSL certificate. Before you run out and look for an SSL certificate to buy, make sure you
already know where you stand with your current web host.SSL is fairly simple to set up, but
you need to follow the right procedure for your situation. If your web host already offers a
free SSL solution, then don't waste money buying a certificate.

These are typically the SSL certificate options you have to choose from.

 Free SSL certificate from your existing web host.

 Get a free SSL certificate from services like Let's Encrypt, Comodo, or Cloudflare.
 Purchase an SSL certificate from services like DigiCert, Namecheap, or GoDaddy.

SSL services that offer free SSL certificates often also offer paid ones. Some web hosts offer
free management of those cron jobs if you use a service like Let's Encrypt. +

Whichever option you go with, when you order a certificate you'll see a page like the one
below. Both the certificate and the key are a part of the package.
Step 2: Install Your SSL Certificate:

Most guides that describe how to install an SSL certificate will tell you that you have to have
a dedicated IP. This means purchasing a more expensive dedicated hosting plan. If you have
such a plan, and you go into your account you'll see that you have a dedicated IP associated
with it.
If you have a shared hosting plan, where multiple websites share the same server, then you
don't have a dedicated IP that goes with your URL.

Does that mean you can't install an SSL certificate without a dedicated hosting plan? No.
Thanks to a technology called Server Name Indicator (SNI), you can still install an SSL
certificate for your site.

If you have a shared hosting plan, ask your web host whether they support SNI for SSL
encryption. To install your certificate, you'll need to go into cPanel and click on SSL/TLS
Manager.
You should see various options for managing SSL certificates. To install your initial SSL
certificate for HTTPS, choose the Install option.
You'll see the option to choose the domain you'd like to install the certificate onto. Choose the
correct domain from the dropdown box. Next, paste the long encrypted certificate text that
you copied when you purchased the certificate.

Once you save, make sure to go into WordPress and refresh all caching. Also, clear your
browser cache (press Ctrl + F5). View your site again by typing the site URL with "https://"
in front of it. If all is well, you'll see the "Secure" status in front of your site URL.
Congratulations! You now have a functioning SSL certificate, and your site can be accessed
via HTTPS.

3. Configure your site to enable HTTPS:

Allow the website a few moments to update, and then ensure visiting the HTTPS:// version of
your website is possible. If the website loads, congratulations are in order, you’ve successfully
installed your SSL certificate to enable HTTPS.

You must re-direct users from HTTP to HTTPS on the relevant pages where secure
information will be submitted. This also means that you’ll likely need to change the links to
those pages to ensure that they are HTTPS rather than HTTP.

If you do wish to ensure that people visiting specific pages will be redirected to HTTPS rather
than HTTP, it's best to force this on the server side. You can use the following piece of code at
the top of your page. It's in PHP, but you could also use another language:

Alternatively, you can also force a redirection through your .htaccess file. The following code
is an example that would redirect any user looking at their cart or the checkout page to the
HTTPS version if they are not already on it:
4. Test the HTTPS Setup:
After completing the above steps, it is important to test your HTTPS setup to ensure that it is
working correctly. You can use online tools like Qualys SSL Labs or SSL Server Test to
check the SSL configuration of your server.

5. Renew the SSL/TLS Certificate:

SSL/TLS certificates have an expiration date, typically ranging from one to three years.
Therefore, it is important to renew the certificate before it expires to ensure that your website
remains secure and available.

Overall, setting up a server for HTTPS transactions requires obtaining and installing an
SSL/TLS certificate, configuring the web server, testing the setup, and renewing the
certificate periodically.

How would it protect you from using a public Wi-Fi connection at a local
coffee shop?

If you are on public WiFi, using HTTPS without a VPN means that some of your data will
still be vulnerable.

HTTPS encrypts the traffic between your device and a website, making it difficult for
intruders to observe the information being shared. It also provides signatures, or HTTPS
certificates, that allow you to verify that the site you are on is run by whom it claims it to be.
HTTPS has become a standard security feature for nearly all websites.

Should all web traffic be required to use HTTPS? Why, or why not?

 HTTPS promotes security, however, not all should be in HTTPS format.

 With HTTPS websites will lose the ability to cache.
 Also, a purely security-focused, HTTPS-only Web would, with today's technology, be
slower.
 For sites that don't have any reason to encrypt anything—in other words, you never log
in, so there's nothing to protect—the overhead and loss of caching that comes with
HTTPS just don't make sense. 
 However, for big sites like Facebook, Google Apps, or Twitter, many users might be
willing to take a slight performance hit in exchange for a more secure connection. And
 the fact that more and more websites are adding support for HTTPS shows that users
do value security over speed, so long as the speed difference is minimal.
 Perhaps the main reason most of us are not using HTTPS to serve our websites is
simply that it doesn't work with virtual hosts. Virtual hosts, which are what the most
common cheap Web hosting providers offer, allow the Web host to serve multiple
websites from the same physical server—hundreds of websites all with the same IP
address. That works just fine with regular HTTP connections, but it doesn't work at all
with HTTPS.

Learning outcomes in your own words (at least 3 key statements)

 We learned about the HTTP and HTTPS Protocols and how they play a crucial role in
protecting data integrity and security.
 We learned to set up a server for HTTPS transactions.
 We also learned to protect ourselves while using public Wi-Fi using HTTPS.

References used (in IEEE format)

Tarik Eltaeib (2015) Web Authentication and Authorization and Role of HTTP, HTTPS
Protocol in Networking
Michael Bailey (2016) Analysis of the HTTPS Certificate Ecosystem
https://www.cloudflare.com/en-gb/learning/ssl/what-is-https/
https://www.tutorialsteacher.com/https/what-is-https
https://www.ssl.com/faqs/what-is-https/
https://www.makeuseof.com/tag/setup-https-site-guide/
https://www.godaddy.com/garage/enable-https-server/

Undertaking

We hereby submit this report as accurate to the best of my knowledge and plagiarism
report(should be below 20%) is attached along with this.