This content originally appeared on Level Up Coding - Medium and was authored by ayt
First, what is HTTP?
Before we talk about HTTPS, we have to know what HTTP is, and why we don’t use it anymore. HTTP ( hypertext transfer protocol ) is a protocol used for transmitting data over the internet. The protocol is used to transfer web pages and other data from web servers to users’ browsers. Why HTTP is not safe anymore? Simply put, it does not encrypt the data that is being transferred between the user and the server. According to that reason, attackers can sniff the data by performing a man-in-the-middle attack to see important data like credit card numbers, passwords, and so on. This is where HTTPS comes into play.
what is HTTPS?
HTTPS = HTTP + SSL/TLS layer. That is a general statement of what HTTPS is. It is all about the encryption layer that matters in HTTPS. It is safe thanks to SSL/TLS layer. SSL has two main jobs to do: verifying that the server you are talking to is the server that you think you are talking to and ensuring the data being transferred between you and the server is only readable to you and the server.
The handshake of SSL connection
The handshake has three phases. They are hello, certificate exchange, and key exchange.
Hello phase
There will be client-hello and server-hello which contains information on what each other needs. A few examples of client-hello information, which the server needs, are the client’s SSL/TLS version number, a list of cipher suites supported by the client (i.e. the encryption and authentication algorithms that the client is capable of using), and so on. As for server-hello, a few examples of the information are the server’s SSL/TLS version number (this should match the version number sent by the client), the cipher suite selected by the server from the list provided by the client, and so on.
Certificate Exchange
This is where the server has to prove its identity to the client by showing the SSL certificate. Some of the information that the SSL certificate contains are the certificate holder’s domain name (or common name), the public key of the certificate holder, the digital signature of the certificate issuer, and others. In general, A client will check the certificate to see if it is legit or not. We will talk about how the client checks it in a minute.
Key Exchange
HTTPS uses a combination of two encryption methods: asymmetric (public-key encryption) and symmetric (private-key encryption). First, The client will use the server’s public key to encrypt a randomly generated key for symmetric encryption. The client sends back to the server the encrypted value which is the key for symmetric encryption. The server is able to decrypt the encrypted value because of the private key that only the server has. After exchanging the key, now they can encrypt/decrypt data from both sides by using a single key.
Why should we trust the SSL certificate?
It is a good question. Why should we trust it? It is just a text file and to make matter worse, it is an open-source text file, which everyone can copy. Here is where digital signatures play a critical role. There are two ways that a browser uses to verify the authenticity of the SSL certificate: checking against the pre-installed list of trusted SSL certificates from Certificate Authorities (CAs) or using digital signatures.
digital signatures
The cipher text generated by using the private key of the Certificate Authority (CA) is referred to as a digital signature. So if the browser wants to check that the certificate really comes from the CA that is mentioned in the certificate, all the client has to do is decrypt the digital signature with the public key of that CA. Only the Certificate Authority (CA) has the ability to encrypt the content using its private key, thereby creating a valid signature.
What if hackers copy the real SSL certificate of a party and represent it to the user?
Yes, hackers can make a legit copy of the SSL certificates of a party like Google and represent it to the user. It is important to note that during the HTTPS handshake process, the client encrypts the key used for symmetric encryption (the encryption method for exchanging data) using the legitimate public key of the server (e.g. Google). The attacker does not have the private key of Google to decrypt the data, making it impossible for them to access the information exchanged between the client and server.
Conclusion
In summary, the data being exchanged between the user and the server is safe as it is encrypted. Furthermore, the authenticity of an SSL certificate can be confirmed through the use of a digital signature.
References
Heaton, R. (2014, March 27). How Does HTTPS Actually Work? robertheaton.com. Retrieved January 29, 2023, from https://robertheaton.com/2014/03/27/how-does-https-actually-work/
Understanding HTTPS was originally published in Level Up Coding on Medium, where people are continuing the conversation by highlighting and responding to this story.
This content originally appeared on Level Up Coding - Medium and was authored by ayt
ayt | Sciencx (2023-05-02T17:24:29+00:00) Understanding HTTPS. Retrieved from https://www.scien.cx/2023/05/02/understanding-https/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.