What is HTTPS?
Hypertext Transfer Protocol Secure or HTTPS also referred to as HTTP over TLS/SSL is a protocol for secure communication over a computer network and it is an extension of HTTP. HTTPS utilizes the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) in older versions to encrypt communication.
Through the use of cryptography and certificates, the TLS protocol primarily attempts to offer the following:
- Confidentiality — Securing and encrypting URLs, cookies, and other metadata
- Integrity — Avoiding data tampering and modification between communicating parties
- Authenticity. Protecting from man-in-the-middle attacks and making sure about the identity of the website.
between two or more communicating computer programs.
Under the Hood
Here you can find some of the concepts that you need to know to understand how HTTPS really works.
Encryption/Decryption
Encryption involves utilizing cryptography to lock up information. whereas on the other hand, decryption is the process of unlocking information.
TLS
Transport Layer Security is a well-known and highly adopted security protocol that facilitates privacy and data security. The main usage of this protocol is to encrypt the communication between applications and servers over the internet.
Public & private key
There are different encryption methods but two primary forms that are used more commonly are symmetric and asymmetric encryption.
- Symmetric encryption: In symmetric encryption, we use the same key for encrypting and decrypting. Data Encryption Standard (DES), Triple Data Encryption Standard (Triple DES), and Advanced Encryption Standard (AES) are some of the popular symmetric encryption
- Asymmetric encryption: In asymmetric, there are two different keys for encrypting and decrypting the information. Normally there is a public key available for everyone who wants to communicate which will use to encrypt the data and a private key which is only accessible by the owner of key pairs which will use to decrypt the information.
Digital certificates
The digital certificate which is also known as a public key certificate or identity certificate is a file that is tied to a cryptographic key pair and verifies the authenticity of the public key. This file includes information about the key, the identity of its owner, and the digital signature of the certificate issuer.
Root stores
A root store is where you can find a list of trusted root CA certificates. The manufacturers of operating systems and web browsers, including Apple, Microsoft, Mozilla, and Google, maintain a trust store, which is a collection of root certificates that are by default trusted. One or more root certificates are used by a certificate authority (CA) as trust anchors for the hierarchy of certificates the CA produces.
TLS handshake process
When a user accesses a website through HTTPS and the browser initially starts to enquire about the website’s origin server, a TLS handshake occurs.
There are different stages for TLS handshake
- TCP handshake: Since HTTP relies on the TCP standard, the first step is to establish a TCP connection between the client and the server.
- Certificate Check: The client sends a client hello to the server which contains the latest TLS version it can support and the necessary encryption algorithm. In response, the server sent a hello response to inform the browser if it supports the algorithms and TLS version. After this exchange server also will send the SSL certificate that contains a public key, hostname, expiry dates, etc. In this stage, the client can validate the certificate with the CA public key existing in the client's root store.
- Key Exchange: To start data transmission client generates a session key (symmetric key) and encrypts it using the server's public key. The server can use its private key to decrypt it and then there is a two-way secure communication channel for secure HTTPS communication between the client and server.
What information is protected by HTTPS?
A Basic HTTP request that your browser uses to show a website looks like the following image. As you can see not only the body of the request but also the metadata on the header are exposed and unencrypted.
On the other hand, after using HTTPS most of the data transmitted between the source and destination machine are encrypted and only can be viewed by trusted parties.
The only information that will be available in the HTTPS version is the domain name and the remote IP address as you can see in the above example.
SSL Certificate Types
Validation Level
- Domain Validation (DV): The least rigorous type of validation is domain validation. Only domain control needs to be demonstrated. These certificates can therefore be produced and used rapidly. They are also cheaper.
- Organization Validation (OV): The initial SSL certificate was called OV SSL. It necessitates a minimal level of business verification, leading to the listing of confirmed business information in the certificate’s details.
- Extended Validation (EV): EV sits at the opposite end of the validation range. Although Extended Validation is substantially more time-consuming, browsers will treat your website favorably and display the name of your corporation in the address bar because a reputable certificate authority has thoroughly investigated your company.
Types of functionality
- Single Domain: A Single Domain SSL certificate can be deployed on a single domain or hostname, as the name suggests. There are single-domain certificates available for all three levels of validation.
- Wildcard: An individual domain and each of its subdomains are covered by a wildcard SSL certificate. A subdomain falls under the parent domain’s protection.
- Multi-Domain: Up to 250 domains or hostnames can be encrypted using a single Multi-Domain SSL certificate. Each additional domain is identified as a SAN and the primary domain is entered in the FQDN column of the Certificate Signing Request.
I hope this article helped you, and please support me by applauding 👏 for the story. If you don’t know how it works, it’s just like this:
Or buy me a coffee here!
