HTTPS stands for Hypertext Transfer Protocol Secure which is the encrypted version of HTTP. It is a protocol used for secure communication over the internet. When you visit an HTTPS website, data is encrypted to exchange between your web browser and the website. So your data is confidential from someone else and the data integrity can be ensured.
HTTPS needs a certificate from third-party to secure communication and verify that the website is compliant. This certificate is known as SSL (Secure Socket Layer) certificate. This certificate encrypts a connection and provides another layer of security for sensitive data that
must not be accessed by any attackers. This additional security can be extremely important to protect secret information such as user's identification information, address, credit card number, etc.
HTTPS encryption uses TLS (Transport Layer Security) protocol. It requires private key and public key to encrypt data between two parties. The private key is controlled by the owner of a website. It's used to decrypt the data that is encrypted by a public key. The public key is available to everyone who interacts with the website securely.
Below picture is one example of SSL certificate.
It contains following information.
- The domain name that the certificate was issued for
- Where the certificate was issued to
- Which certificate authority issued it
- Issue/Expiration date of the certificate
- The certificate authority's digital signature
- Associated subdomains
- The public key (the private key must not be publicly available)
Once the certificate is issued, installation and activation are necessary on the website's origin server. When it's activated on the server, the website will load over HTTPS and all incoming/outcoming traffic from the website will be encrypted and secure.
Domains need to obtain valid SSL certificate from a certificate authority (CA). A CA is a trusted third SSL certificate provider. The CA will also digitally sign the certificate with their own private key, allowing clients to verify it. Most CAs will charge a fee for issuing an SSL certificate. What Starchart is using is Let's Encrypt which provides SSL certificates for free as a non-profit SSL certificate provider. Both free and paid SSL certificate providers offers all necessary security. You need to choose a provider based on your need. You can read more in this article. A free or a paid SSL certificate - which one is better
To build a website that exchanges critical information such as transaction data, important personal information, etc., HTTPS is mandatory. Although I didn't write any code for certificate related part, Starchart gave me an opportunity to learn more about SSL certificate. I think this is one good aspect about contributing to open source project since I usually build a project on subjects that I'm most familiar with. I'm learning many tech stacks and more detailed knowledges about internet through Starchart.