Talk:HTTPS

Computing Start‑class

	This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
Start	This article has been rated as Start-class on Wikipedia's content assessment scale.
???	This article has not yet received a rating on the project's importance scale.

To do

To do:

mention the virtual hosting IP address problem: how does SSL/TLS know which cert to present?
mention the HTTP to SHTTP boosting solution: but not yet widely deployed

The Anome 17:46 Feb 24, 2003 (UTC)

I came here looking for how to write web pages that use HTTPS. Is there an HTML keyword? Did not get any help. Would be nice if there was a pointer to that information.

HTML and HTTP are two different things. HTML is a markup language and HTTP is a protocol which can be used to transport html to a web browser. Your HTML will not look any different whether being transported via HTTP or HTTPS.

I don't have a pointer but no, it doesn't depend on HTML. The client can initiate HTTPS by using an https: URL, and/or you can configure virtual directories on your Web server to require HTTPS. Yaron 20:45, May 17, 2005 (UTC)

Different types of SSL certificates

I'd love to see a discussion of this, as as far as I can tell, the different options (primiarly upsells from the base certificate) are pretty much a hoax. wildcard dns can be useful, but otherwise arguments by companies that SGC or org-validated certificates will be more secure seem unlikely - the SSL is either going to be encrypted at 128 bits or not. https://www.servertastic.com/ssl-certificates/

Name-based virtual hosting

The article says:

(This is subject to change in the upcoming TLS 1.1, which will enable name-based virtual hosting. As of December 2006, all major web browsers support TLS's Server Name Indication feature, but the feature is not widely used by web sites.)

However, there are no details nor pointers on this subject. Either one would be appreciated. -- Ernstdehaan 14:29, 16 May 2007 (UTC)[reply]

Headline text

Adecco website redirects here!

Why does this page keep coming up every time I access a Job registration page? I dont give a hoot about https; get the thing off.

Because Adecco's web coders are morons. If you're using Firefox, it gives you this page instead of their application form for some weird reason.

If you type just "https" (or any other non-url) into your URL bar in firefox, firefox types it into the search at google.com and presses the I'm feeling lucky button, which takes you to the first match of the search. Google's first match for "https" is the wikipedia page, so you are redirected there. Adecco must have made a mistake in their link coding to cause this. Blame them, not wikipedia. Rjmunro 15:46, 15 September 2006 (UTC)[reply]

Can't view this article

I can't view the article directly from here, as it gives me the "Wikipedia does not have an article with this exact name" box. I can, however view it through it's history by looking at the diff between the current version and the last one. --Sivius ^T-C 20:59, 17 September 2006 (UTC)[reply]

Not reproducible. -- Ernstdehaan 14:30, 16 May 2007 (UTC)[reply]

Out-of-place text that I cannot delete

I see the following text on a separate line just below the first paragraph of this article:

sales assistant where house security

I tried to edit the article, to get rid of it, but it doesn't appear on the "edit this page" page. Maybe if someone else knows how, they could clean it up. Thanks. —The preceding unsigned comment was added by 75.5.96.236 (talk) 00:05, 16 February 2007 (UTC).[reply]

UPDATE - Nevermind. Somebody took care of it, and I was still seeing it. A friend clued me in to "control-r", which refreshed the bogus text out of existence.

Diagram & How It REALLY Works?

It would be great to see a state diagram of how the secure connection is made and at which point the HTTP request is actually sent to the server. The current "How It Works" section really doesn't describe it very well. --Lance E Sloan 19:40, 26 February 2007 (UTC)[reply]

Well, the article does say that https is just an use of the SSL/TLS protocol. How TLS works is explained on that article, at Transport Layer Security#How it works. Was this more useful? Any ideas how to make it more obvious? (I've currently added a "for details, see ..." link to the article) -- intgr 20:21, 26 February 2007 (UTC)[reply]

Someone please add a sequence diagram for communications over HTTPS. A simple diagram should do. ddas|edEn (talk) 08:32, 4 March 2008 (UTC)[reply]

difference between SFTP & HTTPS

What are the differences between SFTP & HTTPS? —The preceding unsigned comment was added by 15.227.137.71 (talk) 10:36, 15 March 2007 (UTC).[reply]

It is the same difference as FTP & HTTP, only now they are bot secure. HTTP is used for visiting websites, FTP is a file transfer protocol. 213.73.219.133 09:19, 18 May 2007 (UTC)[reply]

Actually, I think SFTP uses a different underlying protocol. 171.71.37.29 20:29, 4 October 2007 (UTC)[reply]

sftp != ftps, ftps is ftp over ssl just like https is http over ssl. sftp is a system for transfering files over a ssh session. Plugwash 22:42, 4 October 2007 (UTC)[reply]

External Link Proposal

Why are the bottom 4 links in the following list considered spam? I checked each one of them individually and they all appear to be well-suited..

Spam links?

What do you think? Any of these a good match for this page? I'm still a newbie so..

Produke 22:59, 25 March 2007 (UTC)[reply]

HTPS redirect

Why does HTPS redirect here? I was hoping to find more information about a display technology in LCD projectors. 194.7.161.130 08:22, 4 September 2007 (UTC)[reply]

Obviously it's a misspelling of "HTTPS"; it wouldn't interfere with the creation of an article about HTPS, just nobody has written it yet. -- intgr ^#%@! 11:54, 4 September 2007 (UTC)[reply]

vs Comcast

A lesser-known effect of Comcast's traffic shaping is that they completely block incoming http requests (i.e. they apparently regard http servers as being worse than torrents). Does https obfuscate the http request so that Comcast treats the packets the same as they would for other protocols? Ham Pastrami (talk) 11:26, 19 February 2008 (UTC)[reply]

Capitalization

Why does the HTTP article capitalize the abbreviation while this article lower-cases the HTTPS abbreviation? I would have expected the abbreviation to be all uppercase when used as a word and all lowercase when used as a protocol-prefix (i.e, when the colon follows it), i.e., HTTPS vs. https:.

-Andreas Toth (talk) 22:06, 19 February 2008 (UTC)[reply]

The short version: http and https are protocol identifiers. HTTP is a protocol. HTTPS doesn't exist. The long version: in Netscape's original specification for SSL and related RFCs, "https" is only used in the context of a URI. The protocol itself is usually referred to as "HTTP over SSL" or "HTTP/SSL". In modern context the actual protocol being used is just as likely to be HTTP/TLS. "https" is merely a mnemonic chosen for security-enhanced HTTP. The actual protocol used to implement enhanced security is subject to change. Netscape could just as easily have chosen "asdf://" to signify HTTP/SSL and then this answer might be better understood, though the identifier wouldn't be! Ham Pastrami (talk) 02:07, 20 February 2008 (UTC)[reply]

Requested move

The following discussion is an archived discussion of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.

The result of the proposal was move. JPG-GR (talk) 05:54, 19 August 2008 (UTC)[reply]

Hypertext Transfer Protocol over Secure Socket Layer → https — I'm requesting to rename this article back to "https", like it used to be until May 2008, when User:Ziggymarley01 moved it to its current name. This move was done without sufficient prior discussion and contrary to WP:COMMONNAME; people rarely write out "Hypertext Transfer Protocol", much less when referring to the secured variant. Furthermore, Secure Sockets Layer has been deprecated, and RFC 2818 actually calls this protocol "HTTP over TLS".

Alternatives also include "HTTP/TLS" or "HTTP over TLS", although I am leaning towards https. — -- intgr [talk] 11:50, 12 August 2008 (UTC)[reply]

Survey

Feel free to state your position on the renaming proposal by beginning a new line in this section with *'''Support''' or *'''Oppose''', then sign your comment with ~~~~. Since polling is not a substitute for discussion, please explain your reasons, taking into account Wikipedia's naming conventions.

Oppose Regardless, every other page on the TCP/IP model infobox follows this convention. Such a discussion should take place for all at once, having one oddball is bad for consistency. ffm 17:02, 12 August 2008 (UTC)[reply]
WP:COMMONNAME is defined as "Use the most common name of a person or thing that does not conflict with the names of other people or things", so I can't see how you could not decide this on a case-by-case basis. The acronyms TCP and UDP are ambiguous whereas "https" is not.

I don't think that consistency of infoboxes has any precedence over established Wikipedia naming conventions. You'll also note that this article is not actually present on the "TCP/IP model" infobox. -- intgr [talk] 20:05, 12 August 2008 (UTC)[reply]

Discussion

Any additional comments:

The above discussion is preserved as an archive of the proposal. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

Article name

I can't believe I'm the only one who noticed that the name of this article contains a misspelling. Protocal? Really?? --Simon Wright (talk) 03:57, 4 December 2008 (UTC)[reply]

Fixed. -- Rick Block (talk) 18:43, 4 December 2008 (UTC)[reply]

Man-in-the-middle attacks

I've just removed a few sentences claiming that HTTPS wasn't secure against man-in-the-middle attacks, because they were incorrect. There are cases where MiM attacks may occur if the cipher suites are not appropriate (e.g. anonymous ones), but otherwise, that's the point of SSL. I've also removed this sentence "https only protects data in transit from eavesdropping and not man-in-the-middle attacks. Once data arrives at its destination, it is only as safe as the computer it is on. Gene Spafford states that it is like "using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box."[2]". If a man controls your computer, he's no longer in the middle: that's not a MiM attack. This quote from Gene Spafford seems out of context, since SSL/TLS allows the client to check the identity of the server it's talking to by checking its certificate (how it trusts it is a distinct issue).

I've left the last part about the static and publicly available content, but the explanations are a bit simplistic, I think. This really only leads to a guess as to what the downloaded page may be and that guess is only realistic if the eavesdropper knows the entire possible set of webpages the server may return (or as much as possible). —Preceding unsigned comment added by BrunoHarbulot (talk • contribs) 03:56, 10 December 2008 (UTC)[reply]

Suggestion: rename this article

Given the availability of the (newer) Transport Layer Security (TLS) as an alternative to Secure Socket Layer (SSL) protocol, why don't we rename this article "HTTPS" or "Hypertext Transfer Protocol Secure"?

Recent additions to this article prompt reconsideration of this matter, which was introduced in earlier posts below.

WorldlyWebster (talk) 13:48, 25 December 2008 (UTC)[reply]

Missing Redirect?

Hypertext Transfer Protocol Secure does not redirect to this article. The article starts out with those exact words in bold. I'd suggest that someone creates the redirect (I cannot) or change the first words to HTTPS ("Hypertext Transfer Protocol Secure"). 75.71.216.105 (talk)