HTTPS và TLS là gì? Tại sao bắt buộc phải dùng?

HTTPS là HTTP over TLS (Transport Layer Security) — encrypt toàn bộ communication, verify server identity, đảm bảo data integrity.

TLS handshake: Client Hello (supported cipher suites, TLS version) → Server Hello (chosen cipher, certificate) → Client verify certificate với CA (Certificate Authority) → Key exchange (ECDH — không share private key) → Session keys derived → Encrypted communication.
Certificate chain: leaf certificate → intermediate CA → root CA (trusted bởi browser/OS); Let's Encrypt cung cấp free certificates tự động renew.
HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains — browser chỉ kết nối HTTPS trong 1 năm, ngăn SSL stripping attack; HSTS Preload list (chromium preload) — hardcoded trong browsers.
TLS 1.3 improvements: 1-RTT handshake (vs TLS 1.2 2-RTT), 0-RTT resumption cho subsequent connections, removed insecure cipher suites.
Certificate Transparency: public log của mọi issued certificate — detect unauthorized certificate issuance cho domain của bạn.
Mixed content: HTTPS page load HTTP resources — browsers block active mixed content (scripts, XHR), warn về passive (images).
Bắt buộc vì: MITM attack prevention, required cho HTTP/2 (browsers only support HTTP/2 over TLS), Service Workers, PWA, getUserMedia, required cho modern browser features; SEO ranking factor; browser 'Not Secure' warning tăng bounce rate.

HTTPS is HTTP over TLS (Transport Layer Security) — it encrypts all communication, verifies server identity, and ensures data integrity.

TLS handshake: Client Hello (supported cipher suites, TLS version) → Server Hello (chosen cipher, certificate) → Client verifies certificate with a CA (Certificate Authority) → Key exchange (ECDH — private key is never shared) → Session keys derived → Encrypted communication begins.
Certificate chain: leaf certificate → intermediate CA → root CA (trusted by browsers/OS); Let's Encrypt provides free certificates with automatic renewal.
HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains — browser only connects via HTTPS for 1 year, preventing SSL stripping attacks; HSTS Preload list (Chromium preload) — hardcoded into browsers.
TLS 1.3 improvements: 1-RTT handshake (vs TLS 1.2 2-RTT), 0-RTT resumption for subsequent connections, removed insecure cipher suites.
Certificate Transparency: a public log of every issued certificate — detects unauthorized certificate issuance for your domain.
Mixed content: an HTTPS page loading HTTP resources — browsers block active mixed content (scripts, XHR) and warn about passive mixed content (images).
Mandatory because: prevents MITM attacks; required for HTTP/2 (browsers only support HTTP/2 over TLS); required for Service Workers, PWA, getUserMedia, and other modern browser features; SEO ranking factor; browser 'Not Secure' warning increases bounce rate.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

HTTPS và TLS là gì? Tại sao bắt buộc phải dùng?

HTTPS là HTTP over TLS (Transport Layer Security) — encrypt toàn bộ communication, verify server identity, đảm bảo data integrity.

TLS handshake: Client Hello (supported cipher suites, TLS version) → Server Hello (chosen cipher, certificate) → Client verify certificate với CA (Certificate Authority) → Key exchange (ECDH — không share private key) → Session keys derived → Encrypted communication.
Certificate chain: leaf certificate → intermediate CA → root CA (trusted bởi browser/OS); Let's Encrypt cung cấp free certificates tự động renew.
HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains — browser chỉ kết nối HTTPS trong 1 năm, ngăn SSL stripping attack; HSTS Preload list (chromium preload) — hardcoded trong browsers.
TLS 1.3 improvements: 1-RTT handshake (vs TLS 1.2 2-RTT), 0-RTT resumption cho subsequent connections, removed insecure cipher suites.
Certificate Transparency: public log của mọi issued certificate — detect unauthorized certificate issuance cho domain của bạn.
Mixed content: HTTPS page load HTTP resources — browsers block active mixed content (scripts, XHR), warn về passive (images).
Bắt buộc vì: MITM attack prevention, required cho HTTP/2 (browsers only support HTTP/2 over TLS), Service Workers, PWA, getUserMedia, required cho modern browser features; SEO ranking factor; browser 'Not Secure' warning tăng bounce rate.

HTTPS is HTTP over TLS (Transport Layer Security) — it encrypts all communication, verifies server identity, and ensures data integrity.

TLS handshake: Client Hello (supported cipher suites, TLS version) → Server Hello (chosen cipher, certificate) → Client verifies certificate with a CA (Certificate Authority) → Key exchange (ECDH — private key is never shared) → Session keys derived → Encrypted communication begins.
Certificate chain: leaf certificate → intermediate CA → root CA (trusted by browsers/OS); Let's Encrypt provides free certificates with automatic renewal.
HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains — browser only connects via HTTPS for 1 year, preventing SSL stripping attacks; HSTS Preload list (Chromium preload) — hardcoded into browsers.
TLS 1.3 improvements: 1-RTT handshake (vs TLS 1.2 2-RTT), 0-RTT resumption for subsequent connections, removed insecure cipher suites.
Certificate Transparency: a public log of every issued certificate — detects unauthorized certificate issuance for your domain.
Mixed content: an HTTPS page loading HTTP resources — browsers block active mixed content (scripts, XHR) and warn about passive mixed content (images).
Mandatory because: prevents MITM attacks; required for HTTP/2 (browsers only support HTTP/2 over TLS); required for Service Workers, PWA, getUserMedia, and other modern browser features; SEO ranking factor; browser 'Not Secure' warning increases bounce rate.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.