I know everyone of you know that HTTPS is used to secure communication to avoid Man in Middle attack, Eavesdropping by an sniffer and verifying authenticity,privacy and integrity of exchanged data during web communication on internet. I will not explain how it works as it is 25 years old protocol but will give you some unknown internal glimpse about it, so read all points carefully as it will might also give you clarity on some minor confusion about HTTP, HTTPS, SSL and TLS etc.
Keep following points for reference when you are talking about HTTPS:
1. “HTTP over TLS” and “HTTP of SSL” is same thing.
2. HTTPS was created in 1994 by Netscape communication for Netscape Navigator browser.
3. HTTPS encapsulates HTTP traffic using TLS to encrypt data and still uses original HTTP content.
4. TLS and SSL are cryptographic protocols designed to provide communication security over computer network.
5. TLS Protocol can be used to encrypt traffic for web servers, email, instant messaging, VoIP traffic etc.
6. SSL 1.0/2.0/3.0 has been depreciated and replaced by TLS 1.3.
7. Year of Release: TLS1.0(1999), TLS1.1(2006), TLS1.2(2008), TLS1.3(2018),
8. TLS Operates below HTTP and has no knowledge of higher-level HTTP.
9. TLS servers can only strictly present one certificate for one host/port and in past this concept was blocker for virtual hosting on webserver and SNI given the solution.
10. SNI (Server Name Indication) is the solution of above problem where it sends hostnames before handing over to TLS on your client browser.
11. 3 Major HTTPS Purpose: Authentication of accessed site, Privacy and integrity of exchanged data.
12. Protects against: Man in Middle attack (MiM), Eavesdropping and Tampering.
13. Using HTTPS we can do Bidirectional encryption in between client and server.
14. HTTPS makes sure correct cipher suite is used during client server communication.
15. HTTPS helps you to work securely on public Wi-Fi in case someone sniffing on network.
16. Latest HTTP2 replaced internally used SPDY Protocol with HSTS.
17. HSTS (HTTP Strict Transport Security) helps to protect websites against protocol downgrade attacks. Like you will see HTTPS but actually it will be HTTP.
18. Latest HTTP2 Protocol helps in reducing page load time, size and latency and can easily be enabled on web servers like Nginx etc. using single http2 flag on listener value in “nginx.conf”.
19. TLS uses long-term public and private certificate to generate short term session keys which is then used to encrypt data.
20. x.509 Certificate is used to Authenticate server as well as client.
21. Major CA(Certificate Authority) certs are pre-configured on your browsers or in your operating system to authenticate validity of provided certs during HTTPS communication.
HTTPS works in 2 mode i.e. simple and mutual, most of web traffic is simple and in case you require client authentication then we choose mutual.
22. Only Domain name/IP address and Port number are not encrypted as it is required at network level to forward traffic.
23. Unencrypted nature in HTTPS for DNS names/IP Address helps Govt. agencies to block URL’s etc. even when you are using HTTPS URL’s.
24. Request/Response containing Contents/Headers are encrypted by TLS.
25. Domain fronting is one of other important concept that Google and Amazon have disabled it after pressure of Russian Govt. over Telegram domain fronting case.
26. Domain fronting is a technique that circumvents internet censorship by obfuscating the domain of a HTTPS connection (Proxy servers used to access blocked site and now it can be blocked*)
27. Careful configuration of TLS can provide “forward secrecy” that ensures future disclosure of encryption keys can’t be used to decrypt data recorded in the past.
28. TLS uses symmetric cryptography to encrypt data and keys used to encryption are generated uniquely using each connection.
There are many further points that you can read on Wikipedia as all above key points are summarized from it and you can go deep in case you would like to understand more but i will say unless you are only working in web security domain till the time you can avoid deep understanding but in normal day to day understanding above key points will give you immense information while talking on Web traffic security using HTTPS and TLS.