How Does HTTPS Work?

We all know http isn’t secure. This is because http transfers our requests and responses for Web pages in plaintext over the Internet. This makes http sessions vulnerable to man-in-the-middle attacks where hackers can steal your sensitive information. To solve this vulnerability, we created https. This stands for Hypertext Transfer Protocol over SSL encryption (though nowadays we use TLS encryption). Some people just refer to the “s” as meaning “secure.” That’s not technically correct, but it’s so widely used that it’s just become an acceptable nickname.

https uses both symmetric and asymmetric encryption. Why? Number one, it is more secure. And, number two, asymmetric encryption is not enough to encrypt a large amount of data.

We can map out the steps of establishing an https session in 6 steps. Here’s how it works. If you have trouble visualizing the process, refer to this diagram:

https encryption.png

Step 1:

The client requests an https session with the Web server. This is accomplished by entering an https address in the URL bar. Let’s just say it is one of the Web servers for

Step 2:

The Web server responds to the client by providing its certificate. Certificates are digital documents issued by Certificate Authorities (CAs). The correct pronunciation is “cahs,” not “C.A.s”. To trust a certificate, the CA that issued the certificate itself must be trusted. Many Web browsers include already-trusted CAs; however, CAs can also be trusted if a copy of their root certificate exists in the “Trusted Root Certification Authority” store. Certificates themselves contain a list of information that is useful to our Web browsers.


As you can see from the certificate pictured above, we have a:

  • Serial Number: Uniquely identifies the certificate.
  • Issuer: This identifies the CA that issued the certificate.
  • Valid from: The certificate is valid from a start date and time.
  • Valid to: The certificate is valid until a specified date and time.
  • Public Key: Perhaps the most important part of the certificate is the RSA asymmetric public key of the Web server.

Notice that the Web server’s private key is not included in the certificate. Only the Web server is allowed to access the private key.

The client will check to make sure that the certificate is not on a Certificate Revocation List (CRL) and that it’s not expired. CRL is pronounced as “crill.” If all is well, it will accept the certificate.

Step 3:

The client creates a symmetric key using a symmetric block cipher, such as AES with 128-bit encryption. The AES encryption key is 53. In reality, the key is actually very long, but it’s shortened for this demonstration. This symmetric encryption key will be used to encrypt session data transferred between the client and the Web server. The symmetric key itself is encrypted using the asymmetric RSA public key that was provided by the Web server’s certificate. The symmetric key now becomes a cyphertext (e.g., GH@jkPS). That way, when it travels over the network, it is encrypted and cannot be viewed by hackers.

Step 4:

The client sends the encrypted symmetric key to the Web server. Only the Web server’s private key can decrypt this. Why? Because asymmetric encryption uses two key pairs (a private key and a public key). They both work together. So, even if a hacker intercepts the https traffic, he would need the private key to decrypt the information, which he does not have access to.

Step 5:

The Web server decrypts the symmetric key by using its private key. Now, both the client and the Web server know the symmetric key that will be used to encrypt the session data. This symmetric key was transferred over the network and the Internet using asymmetric encryption. And perhaps, most importantly, the symmetric key was sent through what we call an “out-of-band” key exchange. This simply means that the symmetric key was not transferred with the session encryption data.

Step 6:

Now that both the client and Web server know the symmetric key, they can begin communicating over the Internet and exchanging Web page information that is encrypted with the symmetric key.

And that’s it. This all happens so fast that we should show more of an appreciation for how complex it really is.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Up ↑

%d bloggers like this: