HTTPS (HyperText Transfer Protocol Secure) is a secured version of HTTP, a text-based data transfer protocol used by websites. While traditional HTTP communicates with plain text (which can be intercepted and read), HTTPS using a form of Public-key encryption to help provide Internet security for the information which is transferred.
Since HTTP packets can be easily intercepted and read, the primary goal of HTTPS is to encrypt this communication without significantly impacting the functionality of the World Wide Web. Using asymmetric encryption (SSL or TLS), the server and client connect to each other. The client sends a request for the server's public key, which the server sends. The client also supplies its public key, so each can communicate with the other securely. Each party can also verify the sender of each message, because each message is encrypted with the sender's private key, which only he or she should posses.
However, there is still a flaw in this system alone. During the initial exchange, an attacker can intercept the server and client public keys, and send his own in their place. Neither party would ever know, but the attacker has essentially tapped into the entire exchange using this method, known as a "man-in-the-middle attack." To deal with this issue, servers using HTTPS have their public keys indexed by certificate authorities. When a client attempts to visit a site using HTTPS, he or she checks the supplied public key against the one on file with a certificate authority. If they match, the process continues and the key as saved on the client's device for future use. If not, the user is shown a security warning. An increasing number of browsers even block access altogether in case of a supplied key/certificate mismatch.
Asymmetric encryption is very slow and inefficient, however. Once connected, the host and client share a symmetric key which they use from then on. They can then communicate with reasonable certainty that their exchange is private, while benefiting from the speed and efficiency of symmetric encryption.
There are many certificate authorities. The following is a list of some of the most popularly used ones, as reported in September 2017.
|Name||Usage rate||Market Share|
* Symantec announced in August 2017 that they were selling their certificate service to DigiCert.
** StartCom has lost favor in the industry, and its certificates are no longer being supported by Chromium, Firefox, or Edge browsers.
The following are some other known certificate authorities with a market share of less than 0.1%
- Deutsche Telekom
- Network Solutions
- Chunghwa Telecom
- Hongkong Post
- Japanese GPKI