A Simple Guide on How HTTPS works?
HTTPS(Hyper Text Transfer protocol secure) is HTTP + SSL
HTTP is meant for two way communication. A server and a client can communicate via an HTTP connection. HTTP was the primary protocol for communication, HTTPS got introduced later. HTTPS is HTTP + SSL. So what is this SSL?
SSL(Secure Socket Layer) encrypts data sent over the internet to prevent eavesdroppers/hackers from being able to see what data is being transmitted.
SSL is called interchangeably as TLS(Transport Layer Security). TLS is just an updated, more secure version of SSL and there are of-course some minute differences between these two. These are actually a type of Security Certificate. Though security certificates are popularly referred as SSL but, nowadays when we are buying Security certificates it’s actually a TLS certificate.
To know why SSL is called TLS, we need to know the history of it. SSL was invented by netscape. TLS was proposed by the (IETF), an international standards organization. TLS evolved from SSL 3.0. but, the name of the protocol was changed to TLS before publishing, in order to indicate that it was no longer associated with Netscape (i.e. A commercial organization and you know why 😃). Because of this history, the terms TLS and SSL are used interchangeably.
Now let’s understand how SSL works:
SSL fundamentally works with the following concepts:
— Asymmetric Cryptography (It usage a key pair, public & private key)
— Symmetric Cryptography (It uses a single key to encrypt and decrypt)
Steps SSL follows in simple terms:
1. Client say hello to server with following information:
- Version of SSL it is running.
- Which cipher-suites it supports.
- Compression methods it supports.
2. Likewise Server responds to client with hello and SSL certificate to confirm its identity. The SSL Certificate includes public key and lot other info which are explained down below.
3. Now client validates the server SSL certificate locally. How it does is explained down below.
4. Now client creates a session key(aka symmetric key, aka secret key). It keeps one and send a copy to the server by encrypting it with the server’s public key.
5. After receiving the encrypted key from client, server decrypts it using private key it already have and gets the session key/secret key.
6. Real data transfer starts now. Now on, this single session key will be used to encrypt or decrypt the data for this particular session.
All the above steps are just SSL things which doesn’t exist in HTTP communication. Thus HTTP is faster than HTTPS. Though it’s not significant, it’s just 2–3 ms of delay which doesn’t hurt to have that extra level of security.
The first part involved two keys(public and private) thus it is called asymmetric cryptography and in last part it uses only one key thus it is called symmetric cryptography.
Have you noticed Symmetric key was used in the later half instead of Asymmetric keys, it is because Symmetric is faster than Asymmetric Key cryptography, while providing same level of security here.
Certificate Authorities (CA) like GoDaddy, Symantec, DigiCert etc. generates Security Certificates for us to use. So why do we have to rely on these commercial companies to get a certificate? Answer is because they have tied up with most of the clients, eg. Apple Safari, iOS, Chrome, Mozilla, Internet Explorer, Windows etc. These clients already have the list of root certificates stored locally in system.
Please, don’t get confused with the term client. So far we were referring client for application or website but, now on we will refer it to a Browser or OS trust store. And there is no change in reference to server :D
So, how client validates server’s certificate? To know that we need to know what information is there in the certificate.
SSL certificate involves the following information:
- Domain Name
- Certificate Validity Period
- Certificate Authority (CA) Details
- Public Key
- Public Key Algorithm
- Certificate Signature Algorithm
- Digital Signature
- SSL/TLS Version
- Algorithm Identifier
- Serial Number
To validate a certificate, client checks the following points:
- Is today’s date within the validity period?
- Is the issuing Certificate Authority a trusted one?
- Does the issuing CA’s public key validate the issuer’s digital signature?
— Client uses public key of root certificate to validate digital signature of server’s certificate. If the root certificate’s public key doesn’t correspond to the private key from the digital signature of server certificate, it will be invalid.
Clients keeps their own set of trusted root certificates from all internationally recognised certificate authorities. Clients keep these root certificates updated periodically.
4. Does domain name mentioned in the certificate actually matches with the server’s domain name?
When all these four checklist are successfully validated, it goes for key exchange.
This is where Man In The Middle attack happens. Attacker use their self signed SSL certificate instead of actual SSL certificate. To avoid this is to have SSL pinning in place.
Clap & Share are the fuel to write such article! Bang that clap button now :-) !!
References: Dzone, tutorialsteacher, cloudflare, internetsociety, dierks, hackernoon, jscape
