What is HTTPS ? Why do we need it and how does it works? What is SSL/ TLS? Today we’ll be covering all the essentials of HTTPS that every developer must know.
As we all know, HTTP is the most common protocol used for the web-based communications. As the data travels over the network through different routers and your ISP server, it is susceptible to threats like MiMT(Man in the Midde Attack) which might lead to eavesdropping or potentially data tampering. The growing needs of moving data securely over the web gave rise to the use of HTTPS.
Most of the websites which involve critical user data communications like Gmail, Twitter, Facebook, shopping and banking websites always makes use of HTTPS protocol. Moreover, nowadays even many blogs and news related websites are all switching to HTTPS.
HTTPS ensures the following needs for secure communications are met :
In HTTPS, the network security is provided by TLS(Transport Layer Security) protocol.HTTPS is often referred to as HTTP over TLS or HTTP over SSL.
Let’s understand SSL and TLS in detail and how they work.
In all your communications about HTTPS protocol, you’ll get to hear a lot about SSL or TLS. Both SSL & TLS are the transport-layer protocols(Actually they are not, but they are thought to be standing at that level in OSI Model) which are used for securing data communications over web. TLS/SSL aims to provide confidentiality and data integrity for network communications. Although, TLS and SSL are the terms used interchangeably, still they are both different. Let’s first look at the differences.
|stands for Secure Sockets Layer(SSL)||stands for Transport Security Layer(TLS)|
|Developed by Netscape and launched in early 90's. SSL 2.0 was launched in 1995 and then SSL 3.0 in 1996.||The TLS was first defined in 1999 as an upgrade of SSL 3.0.
The TLS 1.1 was later defined in 2006 , 1.2 in 2008 and then came TLS 1.3.
|The 2014 POODLE Attack was marked as a SSL's death knell.||TLS can be thought of as a successor of SSL, after the SSL's death.|
|SSL is now prohibited of use by IEFT(Internet Engineering Task Force). If you hear of this term being used, it usually refers to TLS.||TLS is used for HTTPS implementation as of now. If your boss tells you to implement SSL, he might be referring to TLS.|
Each new TLS connection involves a handshake between the server and client.
This completes the handshaking process which is achieved using a Public Key Infrastructure(yet to cover). For the rest of the session, both the client and server use this session-specific shared key for all communications(symmetric communication).
This is a very simple cryptographic algorithm which makes use of a common key for both encryption and decryption of the message digest. The two parties mutually agree to use a common shared secret key for all their communications. The sender encrypts the data using the shared secret key and sends over the network. The receiver on receiving the message decrypts it using the same shared secret key.
In this type of cryptographic framework, both the involved parties has a public and a private key. Public keys may be disseminated widely but the a private key can be thought of as a secret key which should only be owned by the owner and must be protected at all times. Rather, private key and secret key are the two terms used interchangeably.
There are two best known uses of this cryptographic system :
The Public Key Cryptographic systems rely on the algorithmic mathematical problems for which no efficient solution is known till date, thereby making it difficult for the intruder to break-in through the system.
Digital certificates are issued to the users by a CA(Certification Authority). CA acts as a centre of trust to help other users to verify the client’s digital certificate. There are different available CAs which can issue the certificate like VeriSign, Entrust etc.
For you to receive a digital certificate from a CA, you are expected to submit a CSR(Certificate Signing Request) to the concerned authority. CSR is generated using your public key. On completing your identity verification process, the CA signs the certification and issues it to you.
CA holds the right to revoke the certificate at any point of time, in case a user is found guilty.
HTTPS Protocol is a means of having secure communications over web. It can be thought of as HTTP over TLS or HTTP over SSL.
TLS/SSL are the protocols which ensure the data confidentiality and integrity functions are met. It also provides an optional authentication function to verify identity of either a client or a sever or both(usually the identity of least one party, mostly server, is always verified). The authentication process involves use of digital certificates signed by a trusted CA(Certificate Authority).
To receive a digital certificate, a CSR(Certificate Signing Request – generated from the public key) needs to be submitted to the CA. The digital certificate is issued to the user after the identity verification process is completed by the CA.
HTTP uses the TLS/SSL tunnel for the communication which makes use of both symmetric and asymmetric (Public Key Infrastructure) cryptographic algorithms.Firstly, a TLS handshake is performed between the client and server to agree on a cipher suite and a session-specific shared ‘secret key’ using Public-Key Infrastructure. On completion of TLS handshake, the server and client use the same shared secret key(symmetric key) for both encryption and decryption for all remaining communications within that session.