How HTTPS 🔒 Works to Keep You Secure 🔐 and How it Differs From HTTP
With all the noise over the past couple of years about upgrading every website to use HTTPS, and with good reason.
There are many benefits to upgrading to HTTPS, including better search engine listings and performance. You also will be able to use more functionality in browsers. HTTPS is once of the three core requirements to be a progressive web app.
So how does HTTPS or SSL work?
Why is HTTPS important?
What Is the Difference Between HTTPS and HTTP?
HTTPS is a secure form of the HTTP protocol. It wraps an encrypted layer around HTTP, Transport Layer Security (TLS). Clients and servers communicate using HTTP it is now secure because of the TLS wrapper.
Attackers can't read the data crossing the wire and you know you are talking to the server you think you are talking too.
HTTPS is an acronym that stands for Hyper Text Transport Protocol Secure. The 'secure' part is important because it makes ahuge difference.
HTTP is 'plain text', or a binary file (like an image) anyone can read or see.
HTTPS is based on public/private-key cryptography. There is a key pair:
- The public key is used for encryption
- The secret private key is required for decryption.
A certificate is a public key with a label identifying the owner.
The HTTPS Stack
HTTP is just a protocol, but when paired with TLS or transport layer security it becomes encrypted.
You may know TLS by another acronym, SSL. Secure socket layer or SSL was the original way we secured the Internet. As we evolved our standards, we retired SSL, but the acronym remains the more popular term for TLS.
If you look at a network Stack diagram HTTP is at the top, on top of TLS, which sits on top of the TCP and IP layers.
I know those are a lot of acronyms but don't worry.
When HTTP is combined with TLS you get HTTPS This secure version of HTTP.
The HTTPS Handshake
When your browser connects to an HTTPS server, the server will answer with its certificate. The browser checks if the certificate is valid:
- the owner information need to match the server name that the user requested.
- the certificate needs to be signed by a trusted certification authority.
If one of these conditions is not met, the user is informed about the problem.
When HTTP is used, a series of handshakes takes place.
The initial request is sent to the server for a verification. When the server responds that it is the desired server the client then sends a hello message.
At this point the communication becomes encrypted.
Is to exchange encryption keys or ciphers.
At this point the reader communication can proceed. The initial handshakes steps take place in a matter of milliseconds.
When HTTPS is used, which element of the communication is encrypted?
Once the HTTPS handshake is complete all communications between the client and the server are encrypted. This includes the full URL, data (plain text or binary), cookies and other headers.
The only part of the communication not encrypted is what domain or host the client requested a connection. This is because when the connection is initiated an HTTP request is made to the target server to create the secure connection. Once HTTPS is established the full URL is used.
This initialization only needs to occur once for each unique connection. This is why HTTP/2 has a distinct advantage over HTTP/1.1 since it multi-plexes connections instead of opening multiple connections.
The Passive Attacker
First, we need to look at how HTTP works. This stands for hypertext transport protocol and is how we move data across the Internet.
By design HTTP is not encrypted. This means that the data moving across the wire is visible to anybody who has access.
Bad guys can passively read packets moving across the Internet. This means they can read the text that you are sending and receiving. This is why using a secure protocol is important when transferring personal and sensitive data.
Let's take a common example, the coffee shop. Many of us go to coffee shops, restaurants and other public places with public Wi-Fi to do work and just hang out.
But if you knew what the bad guys could see you may second think the strategy.
Wi-Fi is uniquely susceptible because it is well, airborne. This means anybody with the intent of can see the traffic going across the air.
Attackers have been known to hang out in public Wi-Fi settings and just absorb the Internet traffic around them. They can then use sophisticated analysis to determine sensitive data that you may not have considered.
Are you doing research on important stock price?
Maybe you're researching data for important work project and that back I just happens to be a corporate spy.
Of course this is contrived but should serve the purpose to get your mind thinking about what might transpire.
So using HTTP, your Internet sessions are public domain. You have no true privacy.
Blocking the Passive Attacker
When using HTTPS, the passive attacker I described earlier no longer can read your data. That's because the actual data is wrapped by an encryption layer.
The only two parties that can read the data or the server and your browser.
The TLS layer acts like sheild, blocking unwanted eyes from watching your conversation.
The Active Attacker or Man In the Middle Attack
Sometimes attackers are more aggressive. They set up their own infrastructures to reroute request. This is known as a Man in the Middle Attack.
Without using HTTPS you have no a surety you are talking to the desired server. And the server cannot determine if it really is talking to you.
With HTTPS, there is a level of data integrity that protects you from an attacker intercepting your requests and the server's responses. The certificates require that each end know how to encrypt and decrypt the data and only they know how to do this.
I think getting into the details of how the encryption algorithms actually work is a little above the point of this post. But let's just say it will just be a bunch of gobbledygook without the keys to decrypt and encrypt the packets.
When you establish a secure connection to a remote server you are effectively blocking this active attack. A bag I cannot install something on an Internet router, for example, that would intercept request and route them to his server.
Just in case you think the bad guy fake a certificate, he can't, we at least he can't forge the certificate or try to decrypt the data with the public key. He won't have access to the private key.
See I told you encryption can be complex!
The certificate contains the public key of the webserver. The attacker's proxy does not have the matching private key.
If the proxy forwards the real certificate to the client, it cannot decrypt information the client sends to the webserver.
The atacker may try to forge the certificate and provide his own public key. This will destroy the signature of the certification authorities. The browser will warn about the invalid certificate.
Wrapping it Up
HTTPS should be used everywhere. The excuses of the past are no longer valid.
By using HTTPS you are providing your visitors a secure connection. They can also have confidence the communication is with your server and not someone passively or actively peeking in.