I haven't done lot of research on HTTPS yet so I have a question about it.
Is data integrity preserved using HTTPS or only confidentiality? For example on file upload, does HTTPS guarantee that no one can change the data on upload, or it only guarantees that no one can read it?
Answer
Short answer: Yes
Requirements:
- The cipher suite uses a digest algorithm like SHA, SHA-2 (256 or 394) or MD5 (please avoid it !) to compute a Hash-based Message Authentication Code (HMAC). This message is then used to check data integrity for each record.
Example: TLS_RSA_WITH_AES_128_CBC_SHA256
- The cipher suite supports Authenticated Encryption with Additional Data (AEAD) like AES-GCM (AES-CCM, AES-EAX exist but are less common) or CHACHA20-POLY1305 (recommended).
Example: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Regarding the second example, it is important to note that SHA256 is NOT the HMAC algorithm but it is used as PRF (check this answer for more details).