Maintaining security and privacy when we browse the Internet can be said to be essential. Our personal data can be compromised and we can suffer from very diverse cyber attacks. Simply by entering a website, we can be victims of certain attacks. That’s where using protocols like HTTPS, which came to make the previous HTTP more secure. Now, can we have an even more secure Internet? In this article we are going to talk about HTTPA and how it works.
HTTPA, the successor to HTTPS for more security
Today HTTPS is the main protocol used by applications and web pages. It offers a fast, secure connection and we can also say that it is private. However, it has certain limitations that make it not a perfect protocol in terms of security and privacy, so it can be improved.
Thanks to HTTPS, when we visit a web page we can verify that this service corresponds to the legitimate entity, something that provides security and trust. However, that protocol does not verify the actual behavior of that service. Even if that service published the source code, there would really be no way of knowing whether or not that code is running, and so there is no danger. There is no way of knowing if the data is really going to be treated in a certain way, beyond trusting that service and its behavior.
Now a group of security researchers have devised what they call HTTP-Attestable or HTTPA. It uses HTTPS as a base, but with improvements to make it more reliable and secure. What does this mean? Basically a test of what we mentioned before: we will be able to know if that specific service really acts as it is supposed to and we can verify the behavior.
With this we avoid having to blindly trust a web page, even if it is HTTPS, and really see how it acts. Is a plus more confidence, a way to know that a service is reliable and further reduce the possibility of suffering some kind of cyber attack or data theft when browsing. Keep in mind that HTTPS has security limitations, even though it is a widely used and reliable protocol today.
How does this protocol work?
We can say that HTTPA works because the end user can verify the guarantees of a server which you are accessing. Basically, the person who enters that page or online service can verify if it really is a trusted server or not. In this way you can decide if it is reliable and enters or, on the contrary, it is not trusted.
It should be mentioned that HTTPA inherits key parts of HTTPS, such as the use of TLS and host identity verification through a certificate. But in addition to that, it offers an additional guarantee of what they call remote attestation or verification. This will allow the HTTPA protocol that the end user, the client, only trust what they see as safe and have their own block list.
The ultimate goal of HTTPA is to further reduce the attack surface that can be compromised when using HTTPS. Basically improve security of a very widespread protocol and that today is reliable, in order to reduce the risk of suffering cyber attacks.
Currently we can say that HTTPS provides access to services safely, but without being reliable for what we have explained. An attacker could perform privilege attacks to control a session, for example. This way you can compromise the secure channel between the server and the client. Instead, with HTTPA we can achieve a secure and reliable service access. An attacker could not easily hack the session keys and it is more difficult for him to break the privacy and security of the client when accessing the server.
In short, HTTPA appears as a new protocol that aspires to become the successor of HTTPS to achieve greater security and privacy when browsing the Internet. You can see all the documentation and its operation.