Communications over networks or internet could become very insecure if the proper secure measures are not in place. This could be critical for applications like payment transactions on the web, causing losses of millions of dollars to the customer and the enterprise. This is where SSL and HTTPS come in. SSL is a cryptographic protocol used to provide security to communications above transport layer. HTTPS is a combination of HTTP and SSL that can cerate secure channels over insecure networks.
What is SSL?
SSL (Secure Socket Layer) is a cryptographic protocol that is used to provide security for the communications taking place over the internet. SSL uses asymmetric cryptography to preserve privacy and message authentication codes for ensuring the reliability for all the network connections above the transport layer. SSL is widely used for web browsing, email, faxing over internet, IM (instant messages) and VoIP (Voce-over-IP). SSL was developed by Netscape Corporation and it was succeeded by TLS (Transport Layer Security). SSL 2.0 was released in 1995 (version 1.0 was never released to public), and version 3.0 (released a year layer) replaced the version 2.0 (which had several significant security flaws). Later, TLS was introduced as SSL 3.1. The current version is SSL 3.3, which is mostly identified as TLS 1.2. SSL encapsulates the application layer protocols like HTTP, FTP and SMTP by being implemented over the transport layer. Traditionally it has been used with TCP (Transmission control Protocol) and to a lesser extent with UDP (User Datagram Protocol). SSL is used with HTTP to obtain HTTPS, which uses public key certificates to identify endpoints for the applications such as e-commerce.
What is HTTPS?
HTTPS (HTTP Secure) is a protocol created by combining HTTP (HyeperText Transfer Protocol) and SSL/TLS protocols. HTTPS provides secure communication by encryption and identifies end points of the connections making it ideal for applications like payment transitions on WWW (World Wide Web) or sensitive transactions in corporations. Basically, HTTPS can create a secure connection through an insecure network. If the used cipher suites are adequate and the server certificates are trusted, then these HTTPS secure channels will safeguard against eavesdroppers and Man-in-the-Middle attacks. But, even if HTTPS is used, the user can guarantee that the channel is fully secure only if all the following conditions are satisfied: browser implements HTTPS correctly with CAs (Certificate Authorities), CAs only vouch for legitimate sites, the certificate provided by the site is valid, web site is correctly identified by the certificate and finally, intermediate hops are trustable. All modern browsers warn users if they receive invalid certificates from the web sites. Of course, the user is given the option of continuing further at her own risk.
What is the difference between SSL and HTTPS?
Main difference between SSL and HTTPS is that SSL is a cryptographic protocol, while HTTPS is protocol created combining HTTP and SSL. But, sometimes, HTTPS is not identified as a protocol per se, but a mechanism that merely uses HTTP over encrypted SSL connections. In other words, HTTPS uses SSL to create a secure HTTP connection. Because of encryption provided by SSL, HTTPS is able to withstand eavesdropping and man-in-the middle attacks.