Hypertext transfer protocol secure (HTTPS) is the secure variant of HTTP, which uses transport layer security (TLS) to encrypt sensitive data as it travels across the network. TLS provides both authentication (allowing a party to verify that they're speaking to the domain they think they are) and encryption (to ensure that nobody controlling the network between the client and server can view or modify the communications). Authentication happens using certificates made using one's public key infrastructure (PKI)

Netscape Communications created the SSL protocol in 1994 to support its own browser. HTTPS wasn't officially specified by the RFC 2818 until 2000, which was after TLS debuted. SSL itself is now disabled in most clients and servers due to security weaknesses addressed by TLS.

HTTPS is the default security protocol across the web today, and is used by a staggering majority of active websites. You can tell if a website is secured via HTTPS if the URL is preceded by a padlock icon, and when the URL itself begins with https://.

What makes HTTPS useful?

HTTPS helps secure web communications with the help of TLS. It shields sensitive information from man-in-the-middle (MITM) attacks and snooping attempts, which can more successfully interpret unprotected data packets. Such a security measure is critical to preserving online privacy, and especially so in industries where private information regularly trades hands—such as healthcare, banking, government, eCommerce, and others. 

Unsecured HTTP messages are sent as plain text. This human-readable data is easy to intercept and decipher. By comparison, HTTPS encrypts data into a machine-readable blob of randomized data that can only be understood using a key (which the client and server agree on at the start of a TLS connection). This is unreadable to would be snoopers and quite challenging to decrypt even with dedicated tooling.

HTTPS helps with the following: 

  • Protecting against webpage content injection from internet service providers (ISPs) and other entities 

  • Protecting against snooping by ISPs and other entities

  • Building trust with website users

  • Enabling web server and website authentication via SSL/TLS

  • Prevent harvesting of login credentials and other personal information, while submitting electronic items such as forms

  • Allowing clients and servers to agree to speak HTTP/2

There are numerous benefits to implementing HTTPS on your website. However, many website owners and application developers shy away from using HTTPS due to perceived expense, negative performance impacts, or the assumption that their web application purely handles non-sensitive data. These concerns have largely arisen from the early days of HTTPS and have since been (heavily) mitigated by performance improvements to HTTPS and the underlying TLS protocol.

How does HTTPS work?

We've discussed how HTTPS uses encryption to transform ordinary, plain-text messages into secure messages. And because HTTPS leverages the TLS protocol, it abides by many of the same mechanisms—such as the TLS handshake. This process involves the following steps:

  1. The client opens a TCP connection with the server by sending a SYN packet, and getting a SYN+ACK in reply.

  2. The client sends a TLS client "hello" packet to the HTTPS server with a list of algorithms (encryption and hash based message authentication) which it supports, often the domain it wants to connect to via SNI (server name indication), and some random numbers to begin encryption key negotiation. If using 0-RTT, the client can also include its encrypted request in this packet and the remaining negotiation steps will happen while the server is working on a response.

  3. The server responds with a TLS server "hello" which includes any mutually supported algorithms, a certificate, more random numbers computed for the negotiated algorithms, and a signature of the client's random numbers via private key of the certificate it's presenting (to prove that it possesses the private key without disclosing it). The server can also use the client hello packet for client fingerprinting.

  4. The client confirms its trust in the certificate sent by the server (by checking that it's signed by a known certificate authority), and that the server's proof of private key control is correct. The client can include its certificate (and proof of control of the private key of said certificate) here if using mutual TLS. Once satisfied it sends a "change cipher spec" packet (which is the last unencrypted packet the client will send).

  5. The server responds with its own "change cipher spec" packet to complete the TLS setup.

  6. The client and server exchange encrypted and authenticated "application data" packets with the negotiated algorithm. These are signed using the negotiated hash based authentication algorithm (HMAC). To reduce handshake overhead, connection reuse is often used to send multiple requests and responses across this connection.

  7. If the client or server encounters issues during the negotiation or communications (an incorrectly signed packet, a protocol it doesn’t support, etc.) it'll send a TLS fatal alert packet stating the reason (plain text before the change cipher spec, encrypted after that).  The underlying TCP connection will then end immediately. To better understand why an SSL connection failed (even if the reason is encrypted) view our error-log-format documentation.

HTTPS relies on asymmetric encryption through the use of private and public keys—the former managed by the website and retained by the corresponding web server. The latter is available to any client attempting to communicate with the web server. 

While regular HTTP uses port 80 for communication, port 443 is reserved for HTTPS. This network port forms a secure channel through which data can move efficiently. Access to port 443 is common these days, but will sometimes require firewall settings configuration for complete support in some environments.

Does HAProxy support HTTPS?

Yes! HAProxy products support all forms of HTTP and TLS, and therefore can route incoming requests served over HTTPS. We make it easy to set up HTTPS in your configuration, upgrade your connection to HTTPS, and implement redirects to help secure your traffic. And with supplemental support for automated TLS and mTLS certificate management, managing HTTPS in HAProxy is a breeze. 

To learn more about HTTPS in HAProxy, check out our SSL/TLS documentation or Your Comprehensive Guide to HAProxy Protocol Support.