1. What is HTTPS? How is it different from HTTP?
HTTPS (HyperText Transfer Protocol Secure) is HTTP layered over SSL/TLS, providing encryption, authentication, and data integrity.
-
HTTP → Plaintext, insecure.
-
HTTPS → Encrypted, secure communication.
2. How does HTTPS provide security?
HTTPS secures communication through:
-
Encryption (TLS ensures data confidentiality)
-
Authentication (server identity verified via digital certificate)
-
Integrity (prevents tampering with data in transit via hashing)
3. What port does HTTPS use?
HTTPS typically uses port 443, while HTTP uses port 80.
4. What role do SSL/TLS certificates play in HTTPS?
Certificates verify the identity of the server (and optionally client). They contain a public key used in the handshake process for encryption.
5. Explain the HTTPS handshake (TLS Handshake).
Steps (simplified):
-
Client Hello → Lists supported encryption algorithms.
-
Server Hello → Chooses algorithm + sends certificate.
-
Key Exchange → Client verifies certificate, shares session key.
-
Encryption → Both use session key for secure communication.
6. What are the different types of SSL/TLS certificates?
-
Domain Validation (DV) – Basic validation, cheap, fast.
-
Organization Validation (OV) – Organization details verified.
-
Extended Validation (EV) – Strongest validation (green bar in browsers).
7. What are the main advantages of HTTPS?
-
Encrypts sensitive data (logins, payments, personal info).
-
Prevents man-in-the-middle (MITM) attacks.
-
Builds user trust (padlock symbol).
-
Improves SEO ranking (Google prefers HTTPS sites).
8. What are some weaknesses or limitations of HTTPS?
-
Slightly higher resource usage (encryption overhead).
-
Requires valid certificates (cost & renewal).
-
If implemented incorrectly, still vulnerable (e.g., weak ciphers, expired certs).
9. What is HSTS (HTTP Strict Transport Security)?
A mechanism that forces browsers to only connect via HTTPS (never downgrade to HTTP), preventing SSL stripping attacks.
10. How do you check if a website’s HTTPS connection is secure?
-
Look for padlock icon in browser.
-
Check certificate details (issuer, expiry).
-
Verify protocol/cipher strength (e.g., TLS 1.3, AES).
Quick One-liner for interviews:
“HTTPS is HTTP over TLS/SSL, ensuring secure, encrypted, and authenticated communication, widely used to protect sensitive transactions like banking and e-commerce.”
1. What is HTTPS and what is its primary purpose?
HTTPS stands for Hypertext Transfer Protocol Secure. It is a secure version of HTTP that uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) to encrypt the data transmitted between a web browser and a website. Its primary purpose is to provide confidentiality, integrity, and authenticity for data in transit, protecting sensitive information like login credentials, financial data, and personal details.
2. What is the difference between HTTP and HTTPS?
Feature | HTTP | HTTPS |
---|---|---|
Security | Not secure; data is sent in plain text. | Secure; data is encrypted using SSL/TLS. |
Port | Uses port 80. | Uses port 443. |
Certificate | No certificate required. | Requires an SSL/TLS certificate. |
Authentication | No server authentication. | Server is authenticated by a Certificate Authority (CA). |
3. Explain the TLS/SSL Handshake process.
The TLS handshake is the process that establishes a secure, encrypted connection between a client and a server. It involves several steps:
Client Hello: The client sends a "Client Hello" message to the server, including its supported TLS version, cipher suites, and a random number.
Server Hello: The server responds with a "Server Hello" message, selecting a TLS version and cipher suite from the client's list, and sends its own random number.
Certificate: The server sends its SSL/TLS certificate to the client. This certificate contains the server's public key.
Client Verification: The client verifies the server's certificate against a list of trusted Certificate Authorities. If the certificate is valid, the client generates a pre-master secret, encrypts it with the server's public key, and sends it to the server.
Server Decryption: The server uses its private key to decrypt the pre-master secret.
Symmetric Key Generation: Both the client and the server use the pre-master secret and the random numbers to independently generate a session key (a symmetric key).
Finished: Both parties send encrypted "Finished" messages using the new session key, confirming that the handshake is complete and the secure connection is established. All subsequent data will be encrypted with this session key.
4. What is a digital certificate and why is it important in HTTPS?
A digital certificate is an electronic document used to prove the ownership of a public key. It is issued by a Certificate Authority (CA) and contains the website's public key, the domain name, and the CA's digital signature. Its importance lies in:
Authentication: It verifies that the server is who it claims to be, preventing Man-in-the-Middle (MITM) attacks.
Confidentiality: It contains the public key used to encrypt the session key, ensuring that only the server can decrypt it.
5. What is a Certificate Authority (CA)?
A Certificate Authority (CA) is a trusted third-party organization that issues digital certificates. It acts as a guarantor for the identity of the website owner. When a client's browser verifies a certificate, it checks if the certificate was signed by a CA it trusts. If so, the browser can be confident in the server's identity.
6. What are the three key security benefits of HTTPS?
Confidentiality (Encryption): Data exchanged between the client and server is encrypted, so it cannot be read by anyone else.
Integrity: The data is protected from being tampered with during transit. Any modification would be detected.
Authenticity: The client can be sure they are connecting to the legitimate website and not a malicious impersonator.
7. What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) was the original cryptographic protocol, but it has been deprecated due to security vulnerabilities. TLS (Transport Layer Security) is the more modern and secure successor to SSL. While the term "SSL" is still commonly used, all modern secure connections use TLS.
No comments:
Post a Comment