Describe the working of https in detail

We know that sending a data over the internet is like sending a box via courier with no digital lock and can be opened by anyone. (One can argue about hacking the lock but that's not the problem we are trying to solve).

To send the data securely, https was invented which is nothing but HTTP +SSL (Secure Socket Layer). SSL uses cryptography to encrypt the text.

Let discuss the basics of cryptography.
  1. Encryption - The process of converting a text to a random string is called Encryption. To convert the plain text to the random text, a key is used.
  2. Key - The key is used to encrypt and decrypt the data.
  3. Decryption - The process of converting a random string to text is called Decryption. To convert the random text to the plain text a key is used.

To encrypt the text A and decrypt back to text A the key should be common. The key is called symmetric key.

  1. Symmetric Key: An encryption system in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. Symmetric-key systems are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way.
  2. Asymmetric Key: The keys are simply large numbers that have been paired together but are not identical (asymmetric). One key in the pair can be shared with everyone; it is called the public key. The other key in the pair is kept secret; it is called the private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption.

Now we are aware of the basics of cryptography, lets look into how HTTPS works.

  • When a user clicks on an https link browser makes a TCP connection on https port 443 with the server.
  • After a connection is successful SSL handshake starts between browser and server.

The series of exchange between server and client can be categorized into 3 groups.

  • Hello: Client sends a hello message which contains details such as Highest SSL version, Ciphers algorithm it supports, Compression algorithm, Random key - this is later used to generate a symmetric key. Server responds with a hello message containing SSL version, Cipher to be used, sessionid, random data - this data will later be used in generation of key.
  • Certificate Exchange: After server hello message, the server sends a digital certificate. The certificate contains the public key assigned for the browser. The certificate also helps to set the identity of the browser with the server. The digital signature on the certificate is someone vouching for the fact that a particular public key belongs to a particular individual or organization. In order to be trusted by the average web browser, certificates have to be signed by a trusted Certificate Authority (CA). CAs are companies that perform manual inspection and review, to make sure that the applying entity is both:
    1. a real person or business that exists in the public record
    2. in control of the domain, they're applying for a signed certificate for
    Once the CA verifies that the applicant is real and really owns the domain, the CA will "sign" the site's certificate, essentially putting their stamp of approval on the fact that this site's public key really belongs to them and should be trusted. The browser comes preloaded with a list of trusted CAs.
  • Key Exchange: After receiving the digital certificate, the browser generates a symmetric key. It sends this key by encrypting it with the server public key. Since this message is encrypted using server public key, it can only be decrypted by its private key which only resides on the server.

Once the symmetric key is exchanged the browser can start interacting with the server by sending encrypted messages securely.