HTTPs Communication

How to Prepare for Google's HTTPS Update in October 2017 | Hallam
Image source:

HTTPs (Hypertext Transfer Protocol Secure) is an extension of the HTTP, it is used to secure communication over a computer network. In HTTPs, the communication protocol is encrypted using TLS (Transport Layer Security), or, formerly, its predecessor, SSL (Secure Sockets Layer).

HTTPs uses asymmetric cryptography to establish connection between the client and server and then uses symmetric encryption for transmission of actual data between server and client.

Asymmetric encryption involves having a key pair (usually private/public key pair) with the rule that one of the pairs can encrypt the data and only someone with the other pair can decrypt it to make sense of the data while Symmetric encryption involves using one key to encrypt and decrypt data.

Communication steps using HTTPS

  • Client checks the URI for the scheme, if it sees HTTPs, it makes a request to the host for it its certificate. The certificate contains the information of the host, host’s public key, issuer (Certificate Authority) and issuer’s signature.
  • Server returns the signed certificate issued by a Certificate authority. The certificate authority usually signs the certificate with its private key. The signing process involves encrypting the certificate data with its private key and generating a hash in return. This hash is also included in the certificate.
  • Clients are usually built with a list of public keys owned by known trusted Certificate Authorities.
  • Client checks the issuer on the certificate and checks its list of known certificate authorities for the public key. Decrypts the hash on the certificate and confirms the certificate is truly from the certificate authority.
  • Client now trusts the host and generates a new key, encrypts the key with the server’s public key and sends to the server.
  • Server receives this encrypted key and decrypts it with its private key.
  • At this point, a successful connection has been established between the server and client. And only these 2 machines know this key that can now be used to encrypt and decrypt data.

References and More Resources: