Introduction
HTTPS stands for Hypertext Transfer Protocol Secure, a secure version of HTTP. It uses SSL/TLS protocol to encrypt the data exchanged between the user and the website. This makes the information unreadable to the unauthorized party, and users can browse the websites without the risk of their data being read and used by third parties. This is quite important when users send sensitive information like payment details to a shopping website, login credentials to access your email, personal information to register for some service etc.,
In our previous blogs, we looked at Cryptography Basics, Advanced Techniques and RSA PKI. In this blog, we’ll look at what HTTPS is, how it is different than HTTP and how these Cryptography concepts that we looked at earlier help in the implementation of HTTPS.
What is HTTPS?
HTTP is a client-server protocol that lays the foundation for transferring data over the web. This protocol helps a client agent (user) send a request to the server. The user agent can be anything, like a web browser, an application, or even a web-crawling robot that indexes the websites for search engines. Each request by the user agent is sent to the server, the server handles it and sends back a response.
HTTPS is a secure version of HTTP which uses Transport Layer Security (TLS) protocol to encrypt information encryption passed between the browser and the server. TLS is formerly known as Secure Sockets Layer (SSL). It is specified by RFC 2818 and uses port 443 by default instead of HTTP port 80. Using this protocol, users can easily share data with the desired party without worrying about someone stealing their sensitive data. With recent developments, HTTPS has become a gold standard for all websites regardless of whether they exchange or do not exchange information with the user.
Web browsers have taken a prompt note; for example, Google Chrome flags HTTP websites, and Mozilla Firefox offers an HTTPS only mode where websites that support HTTPS are the only ones visible. Besides, Google’s search engine algorithm penalizes websites that do not support HTTPS, hence making it essential for website owners to ensure that their website is HTTPS supported to meet Google’s SEO guidelines.
Below is a sample image, where the browser flags that the website is not secure, if it doesn’t support HTTPS.
HTTPS/2 is a revised version of HTTPS (to be specific to HTTPS/1.1). It was launched in 2015 and made browsers prioritize it over HTTPS. This latest version, with a wide range of new features, allows for faster web browsing and improved user experience.
How Does HTTPS Work?
HTTPS establishes communication between the browser and the web browser using TLS (new version of SSL). It uses the conventional HTTP protocol and integrates a layer of SSL/TLS over it. So, in a way, we can say:
HTTPS = HTTP + SSL
With this setup, the browser and server communicate using the HTTP protocol, but it is done over a secure TLS connection. The TLS connection is responsible for encrypting and decrypting the data that is being exchanged and so information sent via HTTPS cannot be snooped.
In the previous blogs, we looked at Symmetric Encryption, Asymmetric Encryption, Hybrid Encryption, PKI Certificates etc., HTTPS uses these concepts to make it work.
Below are the high level steps involved.
Step 1 – Handshake
- The user’s web browser attempts to connect to a website using HTTPS. It initiates a handshake request where the client sends the supported encryption algorithms.
- The browser and server first negotiate and agree on the cipher suite (AES, 3DES etc.,), hashing algorithms (SHA-1, SHA-256 etc.,), TLS version etc., that they want to use for the session.
Step 2 – Certificate Exchange
- The website server responds by sending its PKI certificate, which contains the public key and identification details issued by a trusted Certificate Authority (like DigiCert, Verisign, GoDaddy etc.,).
- The browser verifies that the certificate is valid and signed by a trusted certificate authority. It confirms that the browser is communicating with the intended server and not an impersonator.
Step 3 – Key Exchange
- The browser generates a random symmetric session key, which will be used to encrypt and decrypt messages between the server and the browser. The browser encrypts this random symmetric session key using the server’s public key and sends it to the server.
- The server uses its private key to decrypt the above message from browser and gets the symmetric session key sent by the browser. This private key is owned by the website owner and resides on the server side.
Step 4 – Transmitting Information
All messages between the browser and server are encrypted using the symmetric session key (from Step 3). This ensures that no third party is intercepting the connection and reading the messages. Symmetric encryption is faster than asymmetric, which makes this communication efficient and secure.
In this communication, the actual data that is securely exchanged includes request URLs, website content, query parameters, headers, and cookies. An eavesdropper can still access potential access information, like IP addresses, port numbers, domain names, amount of information exchanged, session duration etc., but cannot get the actual sensitive data being transmitted back and forth.
How is HTTPS different from HTTP?
HTTPS improves the HTTP protocol by adding three essential yet missing elements: Encryption, Authentication, and Integrity.
- Encryption
HTTP is a clear text protocol, meaning it is prone to eavesdropping and man-in-the-middle attacks. However, by adding an SSL/TLS layer above the HTTP protocol, HTTPS encrypts the data that is exchanged between the server and the browser. It makes it difficult for any third party to understand the data.
An encrypted communication is set up between two entities (client browser and web server) using public key cryptography and SSL/TLS handshake
- Authentication
HTTPS ensures authentication through the SSL/TLS protocol. During communication, the client’s browser checks the website’s SSL/TLS certificate, which includes the public key. The web browser uses this to confirm that the server is who it says it is.
- Integrity
Every document, including a webpage, image, and JavaScript file, sent to a user browser by an HTTPS web server includes a digital signature. Server computes the hash of the message and then encrypts it using the servers private key. This encrypted hash message is the digital signature.
This digital signature is used by a web browser to determine that the document has not been modified or altered by a third party or got corrupted while in transit. Browser does this by decrypting the digital signature using servers public key to get the hash and then it also independently recomputes the hash of the message. If the computed hash message and the one from server matches, then it is good.
This confirms both message integrity i.e the message is not modified in transit and also proof of origin i.e the message is sent by the intended server which has the server’s private key.
The Bottom Line
After understanding HTTPS in detail, it is easy to figure out its importance. HTTP websites are prone to cyber-attacks, like packet sniffing, session hijacking etc., HTTPS websites protect the user’s data in transit i.e sensitive information like credit card numbers, passwords etc.,
HTTPS enhances the user experience because users are assured that they are communicating with a safe website. They can easily figure out whether a website is safe or not by looking for a padlock sign in the browser. Also, Google uses HTTPS as a ranking signal, so your website will rank higher, get more organic traffic, and boost conversions if it uses HTTPS.