HTTPS.
Chrome and Chrome OS already support basic web notifications, but rich notifications for Chrome packaged apps and extensions can enable users to act directly on these notifications and show rich content like lists and images. For those in beta channel, notifications now live in a center that is outside the browser, which allows them to receive notifications even when the browser is not open. HTTPS (also called HTTP over TLS,[1][2] HTTP over SSL,[3] and HTTP Secure[4][5]) is a protocol for secure communication over a computer network which is widely used on the Internet. Rich notifications are available in the latest beta channel builds on Windows, dev channel builds on ChromeOS, and will be coming to Mac OS X and Linux soon.
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. Additionally, they enable you to create action buttons and respond to clicks right within your app, empowering your users to do anything they could do within the app’s UI itself. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication.[6] In practice, this provides a reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an impostor), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.
Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s, HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private. This is the case with HTTP transactions over the Internet, where typically only the server is authenticated (by the client examining the server’s certificate). This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted. This includes the request URL (which particular web page was requested), query parameters, headers, and cookies (which often contain identity information about the user).
However, because host (website) addresses and port numbers are necessarily part of the underlying TCP/IP protocols, HTTPS cannot protect their disclosure. Certificate authorities (such as Symantec, Comodo, GoDaddy and GlobalSign) are in this way being trusted by web browser creators to provide valid certificates. HTTPS is especially important over insecure networks (such as public WiFi access points), as anyone on the same local network can packet sniff and discover sensitive information not protected by HTTPS. However, this can be exploited maliciously in many ways, such as injecting malware onto webpages and stealing users’ private information.[7] HTTPS is also very important for connections over the Tor anonymity network, as malicious Tor nodes can damage or alter the contents passing through them in an insecure fashion and inject malware into the connection.
Firefox uses HTTPS for Google searches as of version 14,[15] to “shield our users from network infrastructure that may be gathering data about the users or modifying/censoring their search results”.[16] The Electronic Frontier Foundation, opining that “In an ideal world, every web request could be defaulted to HTTPS”, has provided an add-on called HTTPS Everywhere for Mozilla Firefox that enables HTTPS by default for hundreds of frequently used websites. Also having only a certain page that contains sensitive information (such as a log-in page) of a website loaded over HTTPS, while having the rest of the website loaded over plain HTTP, will expose the user to attacks. Similarly, cookies on a site served through HTTPS have to have the secure attribute enabled.[12] HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTP operates at the highest layer of the TCP/IP model, the Application layer; as does the SSL security protocol (operating as a lower sublayer of the same layer), which encrypts an HTTP message prior to transmission and decrypts a message upon arrival. With the exception of the possible CCA cryptographic attack described in the limitations section below, the attacker can only know that a connection is taking place between the two parties and their domain names and IP addresses.
Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them. Organizations may also run their own certificate authority, particularly if they are responsible for setting up browsers to access their own sites (for example, sites on a company intranet, or major universities). Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user’s identity, potentially without even entering a password. Possessing one of the long term asymmetric secret keys used to establish an HTTPS session should not make it easier to derive the short term session key to then decrypt the conversation, even at a later time.
Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple’s Safari and Microsoft Internet Explorer sessions.[21] Among the larger internet providers, only Google supports PFS since 2011 (State of September 2013).[citation needed] A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as Firefox,[29] Opera,[30] and Internet Explorer on Windows Vista[31] implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case.
The browser sends the certificate’s serial number to the certificate authority or its delegate via OCSP and the authority responds, telling the browser whether or not the certificate is still valid.[32] SSL comes in two options, simple and mutual. SSL does not prevent the entire site from being indexed using a web crawler, and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.[33] This allows an attacker to have access to the plaintext (the publicly available static content), and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack. Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination.[34] This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS.
A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. With mutual SSL/TLS, security is maximal, but on the client-side, there is no way to properly end the SSL connection and disconnect the user except by waiting for the SSL server session to expire or closing all related client applications. This type of attack defeats the security provided by HTTPS by changing the https: link into an http: link, taking advantage of the fact that few Internet users actually type “https” into their browser interface: they get to a secure site by clicking on a link, and thus are fooled into thinking that they are using HTTPS when in fact they are using HTTP. The attacker then communicates in clear with the client.[38] This prompted the development of a countermeasure in HTTP called HTTP Strict Transport Security.
More specifically, the researchers found that an eavesdropper can infer the illnesses/medications/surgeries of the user, his/her family income and investment secrets, despite HTTPS protection in several high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search.[39] Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.[40] Originally, HTTPS was used with the SSL protocol.