Projet : Amélioration de la gestion du restaurant La Petite Plage à Marseille

  HTTPS : It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer(ssl)

2 - it means websites with a padlock in the address (or search bar) are using SSL, which is encryption between the server and your browser.  

1 - https with lock icon means that information entered in the bar is encrypted for the purpose of security.

HTTPS is now used more often by web users than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and to keep user communications, identity, and web browsing private.

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website.

Avantages du HTTPS et du certificat SSL 

Les informations sur les clients, comme les numéros de carte de crédit, sont cryptées par HTTPS et ne peuvent pas être interceptées. 

Les visiteurs de votre site web ou e-commerce peuvent vérifier que vous êtes une entreprise enregistrée et que vous êtes propriétaire du domaine. 

Les clients sont plus enclins à faire confiance et à achever des achats de sites e-commerce grâce au cadenas qui leur assure que le paiement bancaire est bien sécurisé. 

Par exemple, lorsqu’un certificat SSL sécurisé est utilisé pendant une connexion HTTPS, les utilisateurs verront un cadenas dans la barre d’adresse du navigateur. 

Avec une connexion HTTPS, toutes les communications sont cryptées de manière sécurisée. Ainsi, même si quelqu’un réussit à percer dans la connexion, il sera incapable de décrypter les données échangées entre l’internaute et le site web. 

Notez qu’il est possible d’utiliser HTTPS uniquement pour la partie transaction de votre site e-commerce. 

Qu’est-ce qu’un certificat HTTPS ? 

Lorsque vous demandez une connexion HTTPS à une page web, le site envoie initialement son certificat SSL à votre navigateur. Ce certificat contient la clé publique nécessaire pour commencer la session sécurisée. 

Sur la base de cet échange initial, votre navigateur et le site web lancent alors le protocole « handshake SSL ». Celui-ci implique la génération de secrets partagés pour établir une connexion unique entre l’internaute et le site web. 

Comme son nom le suggère, la clé « privée » doit être strictement protégée, et accessible uniquement par son propriétaire. Dans le cas d’un site web, la clé privée reste sécurisée sur le serveur web. Inversement, la clé publique est destinée à être distribuée à quiconque devant pouvoir décrypter des informations cryptées avec la clé privée. 

Comment fonctionne HTTPS ? 

Les pages HTTPS utilisent le protocole sécurisé SSL (Secure Sockets Layer) pour crypter les communications. Ce protocole recourt à un système d’infrastructure à clés publiques (ICP) « asymétrique ».

As more information is revealed about global mass surveillance and criminals stealing personal information, the use of HTTPS security on all websites is becoming increasingly important regardless of the type of Internet connection being used

pourquoi il y a un cadenas sur Google ? 

Ces symboles vous informent sur le degré de sécurité d'un site. Ils vous permettent de savoir si un site possède un certificat de sécurité, 

Lorsque vous visitez un site web, le bouton d'identité du site (un cadenas) apparaît dans la barre d'adresse, à gauche de l'adresse du site. Vous pouvez rapidement savoir si la connexion au site web que vous consultez est chiffrée et, dans certains cas, qui en est propriétaire.

HTTPS is especially important over insecure networks and networks that may be subject to tampering. Insecure networks, such as public Wi-Fi access points, allow anyone on the same local network to packet-sniff and discover sensitive information not protected by HTTPS. Additionally, some free-to-use and paid WLAN networks have been observed tampering with webpages by engaging in packet injection in order to serve their own ads on other websites. This practice can be exploited maliciously in many ways, such as by injecting malware onto webpages and stealing users' private information

SECURITY

The security of HTTPS is that of the underlying TLS, which typically uses long-term public and private keys to generate a short-term session key, which is then used to encrypt the data flow between the client and the server. X.509 certificates are used to authenticate the server (and sometimes the client as well). As a consequence, certificate authorities and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures drew attention to certificate authorities as a potential weak point allowing man-in-the-middle attacks.^[23][24] An important property in this context is forward secrecy, which ensures that encrypted communications recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future. Not all web servers provide forward secrecy.^{[25][needs update]}

For HTTPS to be effective, a site must be completely hosted over HTTPS. If some of the site's contents are loaded over HTTP (scripts or images, for example), or if only a certain page that contains sensitive information, such as a log-in page, is loaded over HTTPS while the rest of the site is loaded over plain HTTP, the user will be vulnerable to attacks and surveillance. Additionally, cookies on a site served through HTTPS must have the secure attribute enabled. On a site that has sensitive information on it, the user and the session will get exposed every time that site is accessed with HTTP instead of HTTPS.^[13]

To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server.

SSL/TLS does not prevent the indexing of the site by a web crawler, and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.^[37] This allows an attacker to have access to the plaintext (the publicly available static content), and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack.

Because TLS operates at a protocol level below that of HTTP and has no knowledge of the higher-level protocols, TLS servers can only strictly present one certificate for a particular address and port combination.^[38] In the past, this meant that it was not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many old browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Apple Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista

• An SSL/TLS connection is managed by the first front machine that initiates the TLS connection. If, for any reasons (routing, traffic optimization, etc.), this front machine is not the application server and it has to decipher data, solutions have to be found to propagate user authentication information or certificate to the application server, which needs to know who is going to be connected.
• For SSL/TLS with mutual authentication, the SSL/TLS session is managed by the first server that initiates the connection. In situations where encryption has to be propagated along chained servers, session timeOut management becomes extremely tricky to implement.
• Security is maximal with mutual SSL/TLS, but on the client-side there is no way to properly end the SSL/TLS connection and disconnect the user except by waiting for the server session to expire or by closing all related client applications.