In modern society, where the internet has become indispensable for daily life and business, the importance of web security is ever-increasing. In particular, HTTPS communication and SSL/TLS certificates have become fundamental technologies for achieving secure information exchange on the web.
This page provides a detailed explanation of how HTTPS communication works and the role of SSL/TLS certificates. You will be able to understand how these technologies protect web communications and ensure user privacy and data integrity.
HTTP (Hypertext Transfer Protocol) is the fundamental protocol for transferring data between web browsers and web servers. HTTP was developed by Tim Berners-Lee in 1989 and is the foundation of the World Wide Web.
Main features of HTTP:
HTTP was not originally designed with secure data transfer in mind. Therefore, it has the following security vulnerabilities:
These vulnerabilities pose a significant risk, especially when handling sensitive information (passwords, credit card information, personal data, etc.). HTTPS was developed to solve these problems.
HTTPS (HTTP Secure) is a protocol that adds an encryption layer using TLS (Transport Layer Security) or its predecessor, SSL (Secure Sockets Layer), to HTTP. HTTPS provides data confidentiality, integrity, and authentication by encrypting the communication between a web browser and a web server.
HTTPS typically uses TCP port 443, and the URL begins with "https://". In modern web browsers, when you access a website protected by HTTPS, a lock icon is displayed in the address bar.
HTTPS achieves secure communication by combining the following technologies:
HTTPS communication proceeds in the following steps:
Using HTTPS provides the following benefits:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols for achieving secure communication over the internet. TLS is the successor to SSL, and today the term SSL is often used as a general term that includes TLS.
History of SSL/TLS:
Currently, SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are considered insecure, and support for them has been discontinued in many browsers and servers. To ensure security, it is recommended to use TLS 1.2 or higher.
There are several types of SSL/TLS certificates, depending on their use and validation level:
When a browser validates a website's SSL/TLS certificate, the following process takes place:
If any of these validation processes fail, the browser will display a warning to alert the user.
The TLS handshake is the process for establishing a secure communication channel between a client and a server. In this process, an agreement on the encryption algorithms to be used, authentication of the server, and establishment of a shared secret key are performed.
TLS 1.2 Handshake Process (simplified):
In TLS 1.3, the handshake process has been simplified and can now be completed in one round-trip (1-RTT) or, in some cases, zero round-trips (0-RTT). This reduces connection establishment latency and improves website loading speed.
Using HTTPS in a development environment is important for testing applications under the same conditions as the production environment. In particular, features like secure cookies, CORS, and HTTP/2 only work correctly over HTTPS. Here, we introduce various methods for setting up HTTPS in local development or testing environments.
A self-signed certificate is a certificate signed by yourself, not by a Certificate Authority (CA). They are widely used in development and testing environments because they can be created easily and at no cost. However, browsers will display a warning for certificates not signed by a trusted CA.
You can create a self-signed certificate with OpenSSL using the following commands:
# Generate a private key
openssl genrsa -out server.key 2048
# Create a Certificate Signing Request (CSR)
openssl req -new -key server.key -out server.csr
# Create a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Running these commands will generate the following files:
The generated certificate and private key can be used in your web server configuration. However, because certificates created this way are not trusted by browsers, a warning will be displayed upon access. It is recommended to use them only in development environments and to obtain a certificate from a trusted CA for production environments.
mkcert is a tool for easily creating trusted certificates in a local development environment. mkcert automatically installs a root certificate in the local trust store, allowing you to use HTTPS without browser warnings.
Installation methods for each OS are as follows:
brew install mkcert
brew install nss # if you use Firefox
choco install mkcert
brew install mkcert
Alternatively, you can download it directly from GitHub Releases.
To use mkcert, follow these steps:
mkcert -install
mkcert localhost 127.0.0.1 ::1 example.test *.example.testThis command creates a valid certificate for the specified domains (localhost, 127.0.0.1, ::1, example.test, *.example.test).
The created certificate and private key can be used in the configuration of your web server or application. Certificates created with mkcert are trusted by the browser on the local machine, so you can use HTTPS without warnings.
Many development tools and frameworks have built-in features to easily set up HTTPS in a local development environment. Below, we introduce how to configure HTTPS in major tools and frameworks.
const express = require('express');
const https = require('https');
const fs = require('fs');
const app = express();
// HTTPS server options
const options = {
key: fs.readFileSync('path/to/key.pem'),
cert: fs.readFileSync('path/to/cert.pem')
};
// Create HTTPS server
https.createServer(options, app).listen(443, () => {
console.log('HTTPS Server running on port 443');
});
In Create React App, simply setting HTTPS=true in the .env file will make the development server use HTTPS:
# .env file
HTTPS=true
To use a custom certificate, set the environment variables as follows:
# .env file
HTTPS=true
SSL_CRT_FILE=path/to/cert.crt
SSL_KEY_FILE=path/to/cert.key
In Vue CLI, you can configure HTTPS in the vue.config.js file:
// vue.config.js
const fs = require('fs')
module.exports = {
devServer: {
https: {
key: fs.readFileSync('path/to/server.key'),
cert: fs.readFileSync('path/to/server.crt')
}
}
}
In Angular, you can configure HTTPS in the angular.json file:
// angular.json
{
"projects": {
"your-app": {
"architect": {
"serve": {
"options": {
"ssl": true,
"sslKey": "path/to/key.pem",
"sslCert": "path/to/cert.pem"
}
}
}
}
}
}
In Django, you can specify the --cert-file and --key-file options with the runserver command:
python manage.py runserver --cert-file path/to/cert.pem --key-file path/to/key.pem
In Ruby on Rails, you can configure HTTPS in the config/puma.rb file:
# config/puma.rb
ssl_bind '0.0.0.0', '3000', {
key: 'path/to/server.key',
cert: 'path/to/server.crt'
}
Let's Encrypt is a Certificate Authority that provides a free and automated certificate issuance service. Even in development and staging environments, if you have a server with an actual domain name, you can use Let's Encrypt to obtain a valid certificate.
Let's Encrypt has a staging environment separate from the production environment. The staging environment has more lenient rate limits, making it suitable for testing and development. However, certificates issued by the staging environment are not trusted by browsers, so a warning will be displayed.
Certbot is a client tool for easily obtaining and renewing Let's Encrypt certificates. Below are the basic steps for obtaining a certificate using Certbot:
Installation methods for each OS are as follows:
sudo apt update
sudo apt install certbot
sudo yum install certbot
brew install certbot
For Nginx:
sudo certbot --nginx -d example.com -d www.example.com
For Apache:
sudo certbot --apache -d example.com -d www.example.com
sudo certbot certonly --standalone -d example.com -d www.example.com
sudo certbot --staging --nginx -d example.com -d www.example.com
For a local development environment that is not accessible from the internet, you can obtain a Let's Encrypt certificate using DNS validation. This method proves domain ownership by adding a DNS record.
sudo certbot certonly --manual --preferred-challenges dns -d example.com
When you run this command, it will display a TXT record that you need to add to your DNS records. Add the specified TXT record to your DNS, wait for propagation, and then continue the process.
For development environments with multiple subdomains, a wildcard certificate is convenient. Wildcard certificates can only be obtained through DNS validation.
sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
Let's Encrypt certificates are valid for 90 days and can be renewed automatically. It is recommended to set up periodic renewal even in a development environment.
# Test automatic certificate renewal
sudo certbot renew --dry-run
# Set up automatic renewal with a cron job
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Here are the best practices for strengthening the security of your website or web application: