Sunday, November 22, 2015

How does HTTPS work ?

Nowadays, many servers are relying on HTTPS. Along with secure transactions, many web servers are using HTTPS for browsing also.

This raises a question in our mind. Why HTTPS and how is HTTPS more secure than HTTP?

What is HTTPS 

When we type URL in the browser, an HTTP request goes to the server and the server responds with appropriate HTML page. Now, HTML is a stateless protocol. This means, everytime the browser wants some data from the server, a new connection is established to the server and the client waits. The server sends response and closes the connection.

If we think about security, HTTP is an unsecure protocol. When data travels between the client and the server, it is unencrypted and as a result, not safe from Man In The Middle Attack. And so, HTTPS was developed.

This HTTPS uses SSL/TLS for security.

So, what does it mean?

That means, all data transferred between the server and client gets encrypted first. First, a TLS connection is established between the server and client and a key is negotiated between them. And then, all data is encrypted with the key and sent over.

How does HTTPS work

So, how does HTTPS work actually?

When a URL is typed in the browser, the server is connected. When a server supports HTTPS, it generates a public-private key pair and keeps the keys with itself. So, whenever a connection is requested to the server, it sends the public key of the key-pair to the client.

The client receives the public key of the server and verifies the authenticuty of the server's public key with a Certificate Authority. This step is done so that someone malicious cannot forge the public key of the server and send its public key instead.

After the public key is verified, it is time for the server and the client to negotiate a symmetric key using which they can encrypt the data and send over. Using symmeteric key along with encrypting it with the public key of the server ensures more security.

Here, the server and client uses Diffie-Hellman Key Exchange Algorithm to make sure a symmetric key is negotiated between the server and client, yet the key itself is never communicated directly between them. Instead, some mathematical formula is used between them to derive the key.

Once the symmetric key is derived, next the job is simple. Whenever any data communicates between the server and the client, the data is encrypted first with the symmetric key and then with the public key of the server and then communicates between them.

How secure is HTTPS

So, here comes the immediate next question, how secure is HTTPS?

It is pretty secure. Even if somene malicious intercepts the connection or performs Man In The Middle Attack, he will not be able to decipher the packets.

So, if you search something in Google, the attacker will probably know that you are having some activity in Google Search, but he won't be able to decipher what you are searching there.

So, this was just an informational blog. Stay safe, stay secure!!

1 comment:

  1. with one exception: google still knows everything you are searching. If you tunnel through ipv6 and you authenticate your clients with your router you harden the inner connection.
    Furthermore you have to harden your ssl algos. DHE alone is not secure anymore. Instead of DH/DHE with RSA you should prefer ECDHE_ECDSA with the biggest bits available. You also should take a look for the randomness of your initial bits. Otherwise the rest not very secure too.

    The ipv6-connection can be improved with openvpn-tunnels. Maybe you find some service with ipv6 optional, then you have end-to-end with a ipv6 from a country of your choice (or of the service you use). vpnbook service is free and quite nice. They used to support also ipv6 connection, but now they refuse it. I dunno why. But still a nice service.

    You can write a script and retrieve the password from the website, they change it from time to time. :-)