Why use HTTPS: Securing the data while in transit between the client and your web server is essential if you plan on limiting access to your website. You can secure the data from your website and add website authentication by implementing HTTPS. Without encryption, both your passwords and data are sent between the client and server as plain readable characters and are susceptible to a variety of exploits. Even if you do not plan on limiting access to your website, HTTPS is a valuable option since it provides clients authentication of your website. The following tutorial describes how to implement HTTPS on an Apache server, but the basic concepts presented are applicable to any web server.
How HTTPS Works: HTTPS is an extension of the Hypertext Transfer Protocol (HTTP) that adds secure communications over a computer network. To achieve communications security, HTTPS utilizes Transport Layer Security (TLS). TLS replaced the Secure Sockets Layer (SSL) that had been used previously with HTTPS. In implementing HTTPS on your server you should always support TLS but you can optionally provide support for legacy computers that may still be using SSL. The client will use port 443 to request that TLS protocol be used for communications with the server. The user of the client (Web Browser) may select secure communications by prefixing the website URL with https. If the prefix is omitted or the http prefix is used at the client, the server will receive the request on port 80 and must either respond with unencrypted data or must redirect the client to use HTTPS protocol. The server can use Apache's redirect directive to send an external redirect that instructs the client to fetch the URL with HTTPS protocol. Thus, no mater how the user requests the website, the communications between the client and server can always remain encrypted. Once an agreement has been made between the client and server to use TLS, they negotiate a connection using a handshaking procedure. The initial negotiation is encrypted and is conducted with an asymmetric cipher in which both client and server exchange public keys. The server usually will also provide the client identification using a digital certificate. The certificate contains the server name (or names) and the trusted Certificate Authority (CA) that vouches for the authenticity of the certificate. Once the negotiation is complete, session keys are generated and all data communication for the session will be encrypted with a symmetric cipher. For additional security, Diffie-Hellman key exchange can be used to securely generate the random session key and insure that even if the session is intercepted and recorded that it cannot be used to decrypt the current session.
Obtaining a Digital Certificate: Digital Certificates can either be self generated and signed or can be obtained from a Certificate Authority (CA). A Digital Certificate from a trusted CA is preferred since it will enable browsers to authenticate the website. While most CAs charge a fee for each Digital Certificate, a free and automated certificate can be obtained from Let's Encrypt. To obtain a Digital Certificate from Let's Encrypt and secure your Apache server, go to the Securing Apache with a Let's Encrypt Certificate guide.