![HTTPS [EP 01] — How It Works?](https://cdn.hashnode.com/res/hashnode/image/upload/v1713114449766/5956b4d7-f2c7-4b72-8d17-9a8385f42b1d.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Have you ever wondered, what it means by Connection is secure — shown on your browser?
Fig: Proof of: LinkedIn uses HTTPS 😋
Ummm…you may think by yourself, Yes I know it! It is HTTPS, a secure hypertext transfer protocol that is being used here!
But do you know how it works? What are the benefits of using a secure connection? If this is a Blackbox for you, then, you are in the right place! Let’s try to unwrap the Blackbox together! 😊
A Little Bit of Cryptography 💌
Let’s consider, that you have a key pair, one is a private key another is a public key!
Private key: As the name implies, no one knows this key without you!
Public key: Anyone in the world (not in the universe, because maybe for an Alien it will be a piece of cake to break the private key from it!😋) can have this key.
This key pair is generated in such a way that, if some text is being encrypted by the public key then only the private key can decrypt it to the original text.
Fig: Let’s Encrypt the World 😍
This cute small system is called Public-key Cryptography!
For now, this piece of knowledge is enough, maybe later I will discuss more about public key cryptography.
Let’s Create the Secure Connection 😊
STEP 1: Say, we hit https://www.linkedin.com in our web browser.
STEP 2: The LinkedIn server has a key pair, one public key (say, PUB-K1), and one private key (say, PRV-K1). The LinkedIn server will return a certificate (for example, considered: signed by Google CA) as the response.
Fig: Hi…Yeah, this is my certificate! 🫡
Certificate: contains a public key (here, PUB-K1) that is signed by a trusted CA (Certificate Authority).
Certificate Authority: Normally browsers have public keys from all the trusted certificate authorities. Trusted CAs are basically do the verification of certificates signed by them.
STEP 3: Our browser will say, I have Google CA’s public key, and using that public key, the browser will verify the certificate is valid.
STEP 4: The browser will extract the PUB-K1 (i.e. LinkedIn’s public key).
STEP 5: The browser will send an encrypted secret key (say, SEC-K), encrypted by PUB-K1 to the LinkedIn server.
Fig: Oh yeah! We are now secure enough, let’s talk! 🦜
- STEP 6: The LinkedIn server will be able to decrypt SEC-K by its private key, i.e. PRV-K1.
So at this moment in the whole world, only the client and the server have the secret key, so, a secure connection is established between the client and the server.
For further data encryption/decryption, this SEC-K will be used on both sides.
Symetric & Asymetric Encryption: After establishing secure connection, only one key is being used to encrypt and decrypt data — it is called Symetric encryption. Before that, a key pair is used — that is called Asymetric encrytion.
How HTTPS Secure Our Online Presence? 🫥
HTTPS confirms:
Privacy: If client and server communication is not happening using an encrypted channel, anyone can intercept the requests and read our private information, e.g. password, bank credentials, valuable secret information, etc.
Integrity: Integrity means “the quality of being honest and having strong moral principles”. If someone in between changes our information, the other side will get the wrong information which can cause a disaster in our life.
Fig: Man in the middle attack
Man in the middle attack🥷: During data transfer between client and server an intruder can access and damage the original data.
- Identity: While exchanging the certificate, a sender can put his digital signature inside the certificate, which can ensure the identity of the sender.
TLS/SSL: When we see a website is using https in address bar that indicates the server is using TLS (Transport Layer Security) / SSL (Secure Socket Layer) to secure the data transfer. We can say, TLS is the upgraded version of SSL.