What is the difference between http and https in programming [closed]

Question

I just knew that the "s" stands for "Secure", and a user should never enter critical information on a website that use http only. But I really want to know what do these two protocols affect my programming, e.g:

• How do some website got the "https" and some do not (or maybe how they turn on and off this feature, that I don't know). Does it mean I must register it somewhere?

• I thought to myself that communication in http is not encrypted, while some encryption may take place in https, is this correct?

• And because the encryption (if any) process is done by the browser, as a result, my server-side code has nothing to do with "http" or "https", is it correct?

• Is there a way to force user to use https only?

Answer 1

• Websites using the HTTPS protocol use a certificate, issued by a trusted third party (or a "certificate authority"), which contains a public key (see: Public Key Infrastructure). The public key is paired with a private key, and information encrypted with the private key can only be decrypted with the public key. This is used to confirm that the server is the holder of the private key (and is therefore the entity certified by the certificate authority). To use the HTTPS protocol, you must either generate or buy a certificate. It is more common to buy certificates rather than generate them, for various reasons.

• HTTPS communication is encrypted. The keys associated with the certificate don't do the encrypting, instead the browser and server use a scheme such as Diffie-Hellman Exchange to make a key that is used in encrypting communications. This is important, because anyone with the public key can decrypt things encrypted with the private key.

• Information sent from the browser is encrypted by the browser and decrypted by the server. Your web server software will decrypt the information; the information received will appear no different from standard HTTP traffic.

• Yes, you can force HTTPS. You can do this either through your server software (e.g. RewriteRule in Apache, with a RewriteCond checking for HTTPS), or through HSTS, which involves sending a specific header. If you send an HSTS header in a browser supporting HSTS, the browser will automatically redirect from HTTP to HTTPS (see: HTTP Strict Transport Security).

Answer 2

You need to install an SSL certificate on the webserver in order to enable HTTPS. This would allow for an encrypted connection to be established between the client browser and the server and all the HTTP traffic will be encrypted. This certificate is issued by a trusted authority. You could also generate a certificate for testing purposes but when a client browser navigates to the website it will emit a warning stating that this certificate was not issued by a trusted authority.

You could force HTTPS to be used by configuring your webserver to automatically redirect all HTTP requests to the corresponding HTTPS endpoint.

You could lookup SSL/TLS.