How HTTP and HTTPS Work?

Abhishek Mishra
Oct 24, 2020 · 4 min read

The very popular question being asked how exactly HTTPS work? A lot of blogs around it are available in detailed form as well as in shorter form. I will try to keep it in middle not lengthy nor short.

In my previous blog I covered the working of the browser How does the browser work?

I will start where I left earlier how HTTP works? HTTP stands for HyperText Transfer Protocol it is an application side protocol used for transmitting hypermedia documents like HTML. HTTP transfers data over TCP connection between client and server (Let’s not go in deep about it, we can add a new blog on it). HTTP transfers plain text over the connection which can be read by someone who has access to your connection. For example, if you are exchanging data over shared wifi one can sniff your data using sniffers(Will add a blog on how Wireshark can be used for sniffing the data). Let’s limit the information of HTTP up to this point only.

HTTP website
HTTPS underlying concepts

Let shift the focus now to how HTTPS works? It means HTTP over a secure layer so that no one will be able to sniff data or modify it in middle(Man in the middle attack). In HTTPS when the client tries to connect with the server. The server will return the SSL certificate. It contains a public key and a digital signature. It will be used to identify the certificate is valid or not. The public key will be used for the asymmetric encryption process. First, let’s try to understand asymmetric and symmetric encryption.

Asymmetric

Asymmetric encryption is known as public-key cryptography. In this public key is being used to encrypt the data while the private key is being used to decrypt the data

Asymmetric Encryption

Symmetric

Symmetric encryption is a type of encryption where only one key is being used to encrypt and decrypt the data. The entities will share the key during the communication for encrypting and decrypting the data.

How HTTPS use it?

  1. During the handshake, the server sends an SSL certificate that has an asymmetric public key to the client. It has a private key that is stored at the webserver(self) end.
  2. The client will create a session key based on algorithms. This session key will be encrypted by using the public key. Then it will be sent to the server.
  3. The server will use the asymmetric private key to decrypt the encrypted session key and will get the session key.
  4. Now the browser will use the session key for encrypting and decrypting the data for the session. This is known as symmetric encryption. Now the data is secured as the session key will be known by the client and server. Once the session will be expired the process will be repeated again from step 1 as the session key will be no longer valid.

Hijacking the session key will be tough as it will be valid for a very shorter period. Symmetric encryption is relatively fast compared to asymmetric. As it involves very little computation.

Some popular public-key encryption algorithms are RSA(Rivest–Shamir–Adleman) and ECC(Elliptic curve cryptography)

Once the above process will be done everything is the same as HTTP. i.e. Sharing data over TCP connection.

Once everything will happen over HTTPS it will look like

HTTPS website
Digital certificate information

Are SSL and TLS the same thing?

SSL is the direct predecessor of another protocol called TLS (Transport Layer Security). In 1999 the Internet Engineering Task Force (IETF) proposed an update to SSL. Since this update was being developed by the IETF and Netscape was no longer involved, the name was changed to TLS. The differences between the final version of SSL (3.0) and the first version of TLS are not drastic; the name change was applied to signify the change in ownership.

Since they are so closely related, the two terms are often used interchangeably and confused. Some people still use SSL to refer to TLS, others use the term “SSL/TLS encryption” because SSL still has so much name recognition.

Upcoming blogs/topics in networking

How a connection will be classified into 7 layers of the OSI model in real?

How a host IP change corresponding to a DNS will be reflected in real or background? like getting IP corresponding to DNS is covered in the previous article, posting IP corresponding to DNS is left.

References

The Startup

Get smarter at building your thing. Join The Startup’s +730K followers.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +730K followers.

Abhishek Mishra

Written by

Software Development Engineer 3 @ OLX India, Over 8years of experience. www.linkedin.com/in/abh123 . E-mail mishra.abhishek273@gmail.com

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +730K followers.