httphttpstls1.2handshake

Does TLS imply HTTPS


If I understand right, for TLS handshake, client initiates the connection, server returns it's certificate, client verifies the signature on it and then a session key is generated which is used for further communication.

If above process is happening, does it mean that the initial call that the client made was HTTPS? Or is it possible to do TLS handshake for HTTP?


Solution

  • TLS and HTTP/HTTPS are different things, but in practice they are often deployed together, and so the boundaries between them can become a bit blured.

    TLS itself can happily be used without HTTP, and is an integral part of many of the other protocols you'll use on a daily basis, such as your email connection (IMAPS/ESMTP etc). When it is used with HTTP (as HTTPS) though, then there are a few TLS extensions that the client can use when establishing the connection, to let the server know that it is expecting an HTTP response (such as the ALPN extension).

    Likewise, HTTP can also happily be used without any thought of TLS. However, there exists a collection of HTTP features that have been introduced over the years to either force (or invite) an HTTP connection to migrate to HTTPS (such as the strict-transport-security or upgrade-insecure-requests headers)

    HTTPS is simply HTTP inside TLS (or SSL if you're asking this question from a time when dinosaurs roamed the earth).