Lakshyajeet.

Web Internals: HTTP, SSL/TLS

lakshyajeet

The Hypertext Transfer Protocol(HTTP) is the foundational and by far most widely used protocol for the web. It offers a simple client-server architecture for simple implementation and operation. HTTP in itself isn’t secured it needs SSL(Secure Sockets Layer) and TLS(Transport Layer Security) to ensure security and confidentiality in the communication.

How HTTPS Works:

The secured version of HTTP is powered by two cryptographic protocols:

  • SSL: It is the older one of the bunch, it was once considered secure but since has been deprecated due to vulnerabilities.
  • TLS: It is the modern and more secure version of SSL. It is widely adopted and is the method of secure communication.

1. Client makes a Request

When a user types a url starting with https://, the browser initiates a secure connection to the server, this in-turn triggers a SSL/TLS handshake procedure.

2. Server sends its SSL/TLS Certficate

The server responds with its SSL/TLS certificate which includes—the server’s public key and, information about Certificate Authority(CA) which issued that certificate.

3. Server Certificate verification

The client then makes a request to the CA about the certificate, CA responds with its own public key. Both of these keys from Server Certificate and CA are then combined and compared to Server Certificate’s Fingerprint if they match the certificate is valid and the server’s identity has been verified.

The browser also checks for the expiry date of the certificate and it the certificate has been revoked or not.

4. Creating a Shared Secret

Both the client and the server needs to agree upon a single Shared Secret key without actually sending a copy to each other.

This can be done using two methods—Diffie-Hellman key exchange or Elliptic Curve Diffie-Hellman (ECDHE), by using these both the parties agree on a shared secret key without ever needing to send it over network.

The client generates a random value called the pre-master secret, this is encrypted using server’s public key using asymmetric encryption and then sent to the server. The server decrypts the key using its private key. Now both parties have a single key which can be used for secure communication.

5. Data Transmission (Secured) begins

Now the session key is established and both parties now encrypt the messages using symmetric encryption using this key.

The data sent is considered secure as it maintains:

  • Confidentiality: Only the client and server can decrypt and read the messages.
  • Integrity: Data integrity is maintained as any tampering with data would lead to error in decrpyting.
  • Authentication: Users can be sure that they are communicating with the authentic server.

Digital Certificates

A digital certificate is also referred as the SSL/TLS certificate. It uses a set of cryptographic protocols designed to provide secure communication between two parties.

A Digital Certificate serves two primary purposes:

  • Authentication: It verifies the identity of the website/server to ensure that it is legit.
  • Encryption: It also supplies the server’s public key which is used for secure communication by encrypting data.

The certificate contains:

  • The Public key
  • Domain Name
  • Organization Name
  • Issuer CA
  • Certificate Expiration Date
  • Fingerprint/Signature

Certificate Authority

A Certificate Authority (CA) is a trusted organization that issues the SSL/TLS Certificates, it is also responsible for verifying the legitimacy of the certificate requester.

The whole process is based on a Trust Chain. The root CA is the highest authority with highest level to trust. The intermediate CAs sign the certificates for websites. The intermediate CA’s certificate links back to the root CA, which ensures a chain of trust the browser trust the certificate as long as this chain is maintained.

Conclusion

In summary, HTTPS provides secure communication between a client and server by leveraging SSL/TLS protocols. This process involves a TLS handshake with which the identity of the server is checked by the help of Certificate Authorities(CA), secure communication can then begin. The use of encryption ensures confidentiality, integrity, and authentication, making sure that both the client and server are communicating securely without any tampering or eavesdropping by anyone.

Leave a Reply

Your email address will not be published. Required fields are marked *