We all have seen this http and https thing when we visit any website. Let's understand what it means and why we use it and after that we go deep dive into what https means and how it provides security ?

Some knowledge on how the request is sent and response is fetched

Consider an example where you type facebook.com , what happens after this. lets see

1. It sends a request to Domain Name Server(DNS) where it resolves the IP adress for facebook.com.

2. After the IP adreess is identified, it sends the request to the server which is running at the IP address(This is an address of a server just like your home address where your friends say lets go to jack's home instead of saying let's go 3333 St jackson st, Newyork). The http connection is initiated between the client and server at port 80 on the server. The actual connection established is the TCP(Transmission control protocol) communication which is the underlying connection in Http.

3. Based on the request sent by the client whethere it is a GET, POST etc , the server identifies it and sends the requested response with the status code as whether the request is succeeded or not.

   This is the basic overview of what happens when you type a web address.

So what is Http now?

Http is a data transfer/communication protocol . Because of this the web browser/client is able to talk to each other.

Why do we need Https?

1. The data which is sent between the client and server is not secure. when the http connection is established between client and server , the hackers can sniff the packets(the data is sent as a packets) and get the sensitive information like when you are logging with user Id and password if the sever doesn't have Https enabled, your user-id and password can be seen and can use it for various purposes. That is the reason why Https came into picture.

2. Https = Http + SSL. It adds a extra layer of security to the communication by encrypting the data which is transferred between the client and server.

3. The primary purpose of HTTPS is to encrypt the data exchanged between the client and the server. This encryption helps protect sensitive information, such as login credentials, personal details, and other data, from being intercepted and read by unauthorized parties.

How data is encrypted when using Https?

Before that you need to understand a few concepts:-

• Assymetric key encryption :- In this If the data is encrypted by public key, the data can only be decrypted by its private key and vice versa.

• Symmetric key encryption:- Here the data is encrypted using the single key and that symmetric key is used for both encryption and decryption of the data.

1. consider you type the url facebook.com in your browser, during the Http connection when the server receives the request ,the process of server authentication starts in which the the server presents a digital certificate(just like a driving license) to prove its identity. This certificate is issued by a trusted Certificate Authority (CA).

2. Certificate Authority (CA) is a trusted and proven authority for the clients such as web browsers that the server the web browser is talking to is legit/genuine.

3. The certificate issued by CA , it means it signs the certificate by using its private key. The server sends the certificate along with the servers public key to the client/web browser.

4. The browser verifies whether the server is a legit or not. This is verified by using the Certificate Authorities public key to decrypt the certificate to verify that this is a legit server.

   1. But you may have question that how does browser has the public key of Certificate Authority?

      • So , since CA is a globally trusted authority(Ex:- google CA). Web browsers have a list of public keys for their trusted CA's before hand so that they can verifies that the server is a genuine one or not)

5. After web browser verifies that the server is legit/genuine, it creates a session key(Symmetric key - refer to the concepts I mentioned above). After that this session key is encrypted using the public key sent by the server along with the digital certificate and sends this encrypted session key back to the server.

6. Now server can decrypt the session key by using its private key(refer to the concept mentioned above). As i mentioned above as if the data is encrypted by the public key then the data can only be decrypted by its private key.

7. So now server has session key and obviously client also has session key because the session key is created by the client.

8. All this happens when you type the website address and also during the http connection establishment phase.

9. When the secured connection is established, the data transmitted between the server and client is encrypted using that specific session key. Since session key is a symmetric key both the parties can encrypt and decrypt the information exchanged between them with the same key.

Final example for better understanding:-

1. consider you are logging into your banking website to do a transaction. you entered the address and the http connection is established and a session key is shared between the browser and the server and it gives a login page.

2. when you enter you id and password, this data is encrypted using the session key which we have talked about this earlier and even if any hacker sits between the person cannot decrypt the data because he doesn't have the session key.

3. when the data(login details) is received to the server, the server decrypts that data using the session key. This ensures that the data is secured.

Thank you ❤️ for reading. I really appreciate if you like the article and comment if you learnt something new.