Skip to main content

HTTPS for dummies - so how HTTPS really works in 5 mins

What is HTTPS?

HTTPS (HyperText Transfer Protocol Secure) is a way of transferring data over internet in a secure manner. It's achieved through adding SSL (Secure Socket Layer)/TLS (Transport Layer Security) on top of standards HTTP.

What HTTPS gives us?

  1. End-2-end encryption of data - from the browser to the server and back = even if someone reads the data you are sending, they will not be able to understand anything out of it
  2. Confirmation of the identity of the website we are accessing = you are sure that the website that looks like your bank is actually your bank (and not a phishing website)

How does it work?

First you need a pair of SSL certificates:
  1. One installed in your web browser (in most cases shipped together with your browser, provided by one of so-called trusted Certificate Authorities)
  2. One installed on the website (which is acquired by the website owner)
Each of those SSL certificates includes the following information: 

  • Public information: name of the owner, website name (domain) for which it is valid, public key, digital signature, validity dates, issuer,
  • Private information: private key
The initial handshake flow can be split into 3 phases - hello, certificate exchange and key exchanged:

1. Hello - to agree on the communication method
  • Browser sends to the server information ClientHello message that includes among others information about version of the SSL/TLS that browser supports and cipher (encryption algorithm) that can be used to encrypt communication.
  • Server responds with ServerHello message that among others already points at the SSL/TLS version and cipher that will be used to encrypt communication.
2. Certificate Exchange - to verify server identity

Sever sends public part of its SSL certificate to the client, which is able to verify the digital signature using the certificate installed in the browser (one coming from Certificate Authorities). If everything is ok, browser displays the green lock, information that the website is secure and (depending on the browser) the name of the owner next to the website URL, like below:



3. Key Exchange - to agree on the key used for encryption of the communication

Client generates a random encryption key for the cypher selected by the server, encrypts it with the public key provided by the server (which ensures that only server can decrypt it) and sends it to the server. Server encrypts the message and since this moment all the communication is encrypted with provided key and selected cypher.

Additional questions

  • Can someone see the exact URLs I am sending to the server?
No, the only thing that the listening party will see is the IP of the server which is contacted. From the IP, a domain name can be reverse-engineering, but that's it. Your google queries are encrypted.
  • How safe HTTPS is?
SSL/TLS is evolving, that's why it's important for service providers to update and patch their servers to the latest versions and for users to use latest versions of browsers. Over the years we saw information about SSL/TLS being broken, but in all cases these were old versions, with new versions of the TLS not having this problem.

Potentially more dangerous is the Certificate Authority trusted root certificates compromise. Fortunately those are not happening often (see some examples in this article) and companies behind your browser keep close attention to those incidents and remove those certificates from the 'trusted' list.

Comments

Popular posts from this blog

Eclipse + EGit - "The authenticity of host ... can't be established" challenge

Recently while writing new Android code I decided that it's the highest time to have a Git repository not only on my hard drive, but also safe in the Internet. After quick search and finding out that I have accounts at almost every popular service that provides Git hosting, I figured out that one that covers everything I need (wiki, bug tracking, code hosting, forums) is the good old sourceforge. I used it also with no problems few months ago on another mobile project, so I was hoping that pushing code there will be a piece of cake. But then when I tried to do it (after configuring the project on the sourceforge site), I got very interesting error: ssh://USER@git.code.sf.net:22: org.eclipse.jgit.transport.CredentialItem$YesNoType:The authenticity of host 'git.code.sf.net' can't be established. RSA key fingerprint is 86:7b:1b:12:85:35:8a:b7:98:b6:d2:97:5e:96:58:1d. Are you sure you want to continue connecting? In theory it's nothing bad, you press the "Y

How to make Logitech Trackball Marble Wheel work

If you bought Trackball Marble from Logitech, the first challenge you encounter is probably related to the lack of the wheel button. Unfortunately the software provided with the device for Windows doesn't help (neither Universal or Auto Search aren't really working as I was expecting). Internet suggests mostly one option, app called Marble Mouse Scroll Wheel http://marble-mouse-scroll-wheel.software.informer.com/ To some extent it works, but I wasn't able to make it work in google maps or in picture viewer. Moreover setting where crashing very often (I am running windows 7 64 bits). Fortunately there is a way to have a semi-wheel button behavior with this trackball, but with a different software - X-Mouse Button Control: http://www.highrez.co.uk/downloads/XMouseButtonControl.htm Setup Mouse button 4 and 5 as wheel up and wheel down. Then also update Logitech SetPoint settings to replace the behavior of those button to default. Voila - now you can emulate wheel