Bảo MậtHTTPS là HTTP over TLS (Transport Layer Security) — encrypt toàn bộ communication, verify server identity, đảm bảo data integrity.
- TLS handshake: Client Hello (supported cipher suites, TLS version) → Server Hello (chosen cipher, certificate) → Client verify certificate với CA (Certificate Authority) → Key exchange (ECDH — không share private key) → Session keys derived → Encrypted communication.
- Certificate chain: leaf certificate → intermediate CA → root CA (trusted bởi browser/OS); Let's Encrypt cung cấp free certificates tự động renew.
- HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains — browser chỉ kết nối HTTPS trong 1 năm, ngăn SSL stripping attack; HSTS Preload list (chromium preload) — hardcoded trong browsers.
- TLS 1.3 improvements: 1-RTT handshake (vs TLS 1.2 2-RTT), 0-RTT resumption cho subsequent connections, removed insecure cipher suites.
- Certificate Transparency: public log của mọi issued certificate — detect unauthorized certificate issuance cho domain của bạn.
- Mixed content: HTTPS page load HTTP resources — browsers block active mixed content (scripts, XHR), warn về passive (images).
- Bắt buộc vì: MITM attack prevention, required cho HTTP/2 (browsers only support HTTP/2 over TLS), Service Workers, PWA, getUserMedia, required cho modern browser features; SEO ranking factor; browser 'Not Secure' warning tăng bounce rate.