Secure Sockets Layer (SSL)
What is HTTPS?
HTTPS is the method used to transfer the majority of content online. It is based on the Hypertext Transfer Protocol (HTTP), which is the main protocol used to communicate on the internet. HTTPS is the encrypted version of HTTP, with the ‘S’ at the end standing for ‘secure’. It is used to secure communication over the internet. It indicates that your connection with another computer/server/site is private. It also ensures no one else can know what you’re doing online. Only you and the server on the other end can listen in.
The padlock icon beside the URL bar in your browser (Chrome, Firefox, etc.) indicates that you are reading this blog post over a secure connection.
In HTTPS, the communications protocol is encrypted using Transport Layer Security (TLS), which is an encryption protocol. TLS was formerly called Secure Sockets Layer (SSL).
Why is HTTPS needed?
HTTPS is mainly needed for 3 reasons — Privacy, Identification and Integrity.
- Privacy — The connection is private between you and the site, and no one else can listen in. Other people on your network or your ISP (Airtel, Jio, etc.) cannot listen in.
- Identification — The site you are visiting, is the same site you expected to visit. It allows you to check that the data transferred to you is indeed coming from the site you visited and not from someone else, with the help of the digital signature attached to each message.
- Integrity — The content is not tampered with when it is sent over the internet. You get exactly what the site sends to you. An entity between the site and you cannot inject ads, popups or malicious content. Many popular ISPs (Airtel, Comcast, BSNL, Verizon, etc.) are known to inject ad scripts into unencrypted websites to earn extra revenue. Sometimes, hosting providers (GoDaddy, etc.) are also known to tamper with site contents to add scripts that provide additional analytics.
The newer version of HTTPS (HTTPS 2.0) also provides performance benefits which reduces bandwidth costs and also decreases page load times for users.
Usage of HTTPS
HTTPS usage has increased over the years, mainly due to efforts of browser makers, who required the use of encryption for features like PWA installation, accessing the user’s microphone, camera and more. So, if any site needs to access the microphone/camera of the user, it needs to have a valid HTTPS certificate. The rise in popularity of free certificate providers like Let’s Encrypt and Cloudflare have also greatly simplified the process of getting a SSL certificate for free. Search engines like Google also provide a ranking boost to sites that are equipped with HTTPS, so this encourages webmasters to adopt HTTPS for their sites.
Stats provided by Google indicate that over 90% of pages are loaded over HTTPS in Chrome in 2021. Desktop users spend two-thirds of their time on HTTPS pages. HTTPS is less prevalent on sites accessed on mobile devices, but there is still an upward trend in encryption usage there.
What is a TLS/SSL Certificate?
SSL certificates are digital certificates used to identify and prove the ownership of a particular hostname (domain name) on the internet. The server is required to provide the certificate to any client connecting to the server as part of the initial connection setup. The client will then verify the authenticity of the certificate by ensuring that the hostname in the certificate matches the domain the client is trying to connect to, and that a trusted certificate authority has signed the certificate.
If the hostname contains an asterisk (*), it is called a wildcard certificate. These are TLS certificates which can be used with multiple subdomains of a single domain. These are popular because they are more convenient and cheaper than getting a certificate for each subdomain.
The security of HTTPS depends on the version of TLS used. TLS 1.2 and TLS 1.3 are supported by all major browsers, while older versions like TLS 1.0 and TLS 1.1 are deprecated because of significant security bugs. The table given below shows the most recent versions of TLS and also the current status of the older versions.
How does HTTPS work?
HTTPS works by creating a secure channel over an insecure network. This ensures that the data being transferred is safe from man-in-the-middle attacks and eavesdroppers, as long as it is implemented correctly. Encryption is used for creating the secure channel. Encryption is just scrambling text many times to make it unreadable to people that do not have the keys to unscramble the text.
The client communicates with the server that it wants to initiate a TLS connection by communicating through port 443 (HTTP connections use port 80 by default, while HTTPS connections use port 443). They then perform a “TLS handshake”, where they agree upon the specifications (like cipher suite, keys) used to exchange data. The outcome of this exchange is a valid TLS connection, meaning both the client and the server are ready to transfer data.
A typical TLS handshake has 4 steps.
1. The Negotiation phase
The client sends a message called a ClientHello message which contains a random number, list supported cipher-suites (encryption algorithms) and compression methods and also specifies the highest TLS version it supports. The ClientHello message may also contain a session ID, if it is attempting to resume a previous TLS handshake.
The server then sends a ServerHello message, which contains a random number, the TLS version, compression method and the cipher-suite it has chosen. The TLS version used is the highest TLS version which is supported by both. For example, if the server supports TLS 1.3 and TLS 1.2 and the client supports TLS 1.2 and TLS 1.1, the chosen version should be TLS 1.2.
The server then sends its Certificate, ServerKeyExhchange and ServerHelloDone message, which contains the server’s public key and also indicates that the handshake has completed successfully.
The client generates a PreMasterKey using the random numbers, encrypts it with the public key of the server and then sends it back to the server. It also sends its ClientKeyExhchange message which usually contains its public key. The server uses its private key to decrypt the PreMasterKey. Using the PreMasterKey and the random numbers, both the server and the client compute the same MasterKey, which is used to encrypt and decrypt all further communication and transfer of data.
2. Client sends a ChangeCipherSpec record
This communicates to the server that everything the client sends to the server will be authenticated and encrypted. It then sends a Finished message, which has a hash and a MAC over the previous messages. The server decrypts this message and verifies the hash.
3. Server sends a ChangeCipherSpec record
This communicates to the client that everything the server sends to the client will be authenticated and encrypted. The server also sends its own Finished message. The client then decrypts the message and verifies the hash, similar to what the server did in the previous step.
4. Application Phase
At this phase, the application protocol has been enabled and all the messages will be encrypted just like the Finished messages.
As we can see, TLS uses asymmetric encryption (which involves public keys and private keys) during the handshake, but symmetric encryption (which involves a single MasterKey) for all further communication after the handshake has completed.
Conclusion
HTTPS has been crucial in improving security for billions of users online. It helps you conduct financial transactions over the internet and use services like internet banking and shopping, while also allowing you to explore the internet without the fear of someone else eavesdropping. It protects you from man-in-the-middle attacks and prevents third parties from snooping on your online activity.
