HTTPS [EP 01] — How It Works?

HTTPS [EP 01] — How It Works?

Have you ever wondered, what it means by Connection is secure — shown on your browser?

Fig: Proof of: LinkedIn uses HTTPS 😋

Ummm…you may think by yourself, Yes I know it! It is HTTPS, a secure hypertext transfer protocol that is being used here!

But do you know how it works? What are the benefits of using a secure connection? If this is a Blackbox for you, then, you are in the right place! Let’s try to unwrap the Blackbox together! 😊

A Little Bit of Cryptography 💌

Let’s consider, that you have a key pair, one is a private key another is a public key!

  • Private key: As the name implies, no one knows this key without you!

  • Public key: Anyone in the world (not in the universe, because maybe for an Alien it will be a piece of cake to break the private key from it!😋) can have this key.

This key pair is generated in such a way that, if some text is being encrypted by the public key then only the private key can decrypt it to the original text.

Fig: Let’s Encrypt the World 😍

This cute small system is called Public-key Cryptography!

For now, this piece of knowledge is enough, maybe later I will discuss more about public key cryptography.

Let’s Create the Secure Connection 😊

  • STEP 1: Say, we hit https://www.linkedin.com in our web browser.

  • STEP 2: The LinkedIn server has a key pair, one public key (say, PUB-K1), and one private key (say, PRV-K1). The LinkedIn server will return a certificate (for example, considered: signed by Google CA) as the response.

Fig: Hi…Yeah, this is my certificate! 🫡

Certificate: contains a public key (here, PUB-K1) that is signed by a trusted CA (Certificate Authority).

Certificate Authority: Normally browsers have public keys from all the trusted certificate authorities. Trusted CAs are basically do the verification of certificates signed by them.

  • STEP 3: Our browser will say, I have Google CA’s public key, and using that public key, the browser will verify the certificate is valid.

  • STEP 4: The browser will extract the PUB-K1 (i.e. LinkedIn’s public key).

  • STEP 5: The browser will send an encrypted secret key (say, SEC-K), encrypted by PUB-K1 to the LinkedIn server.

Fig: Oh yeah! We are now secure enough, let’s talk! 🦜

  • STEP 6: The LinkedIn server will be able to decrypt SEC-K by its private key, i.e. PRV-K1.
    So at this moment in the whole world, only the client and the server have the secret key, so, a secure connection is established between the client and the server.
    For further data encryption/decryption, this SEC-K will be used on both sides.

Symetric & Asymetric Encryption: After establishing secure connection, only one key is being used to encrypt and decrypt data — it is called Symetric encryption. Before that, a key pair is used — that is called Asymetric encrytion.

How HTTPS Secure Our Online Presence? 🫥

HTTPS confirms:

  • Privacy: If client and server communication is not happening using an encrypted channel, anyone can intercept the requests and read our private information, e.g. password, bank credentials, valuable secret information, etc.

  • Integrity: Integrity means “the quality of being honest and having strong moral principles”. If someone in between changes our information, the other side will get the wrong information which can cause a disaster in our life.

Fig: Man in the middle attack

Man in the middle attack🥷: During data transfer between client and server an intruder can access and damage the original data.

  • Identity: While exchanging the certificate, a sender can put his digital signature inside the certificate, which can ensure the identity of the sender.

TLS/SSL: When we see a website is using https in address bar that indicates the server is using TLS (Transport Layer Security) / SSL (Secure Socket Layer) to secure the data transfer. We can say, TLS is the upgraded version of SSL.