HTTPS basics

HTTPS is a protocol which works in tandem with SSL

HTTPS = HTTP + SSL

New portocol to handle secure data is called SSL: (Secured socket layer)

The data that is sent from the web browser to the server is sent over a network provider. 

It is possible for someone to see the data one might send over the network. If the data is sent is secure such as bank information, its possible for someone to misuse it. 

SSL takes care that the data sent over the internet is secure. 

What is cryptography ?

Cryptography is the science of concealing information so that it can be retrieved by another person using some mathematical logic. 

The actual text to be converted is called plain text and the transformed text is called “encrypted” or "cypher" text. 

The logic applied to transform data is called encryption algorithm. Normally another string often called “keystring” is used by the algorithm. 

The person on the other side needs the algorithm used for encryption and most importantly the keystring.

The key is symmetric if its the same string used for both encryption and decryption. 

Symmetric example: A locks the box using a key called “X” and which is unlocked by another person using the same key “X”. 

Problems with the above approach: 

• We cannot use the same key “X” for all the data. 
• How do we even send this key to a person among millions. 

It is possible to encrypt the data using one key and decrypt them using a different key. 

Key used to encrypt is called public key and 

key used to decrypt is called private key. 

The later approach is called Asymmetric approach. 

The server can distribute public keys to any number of users who wants to send data, while the key used for decryption is called private key and is kept in the server (not shared with any user). 

How it works: 

1. User initiates a https request in the browser. 
2. Browser makes a TCP connection to the server using port 443. 
3. SSL handshake starts: 
1. Browser sends client hello message (SSL version supported by browser, compression method, suite of cyphers it can use, sends random data that can be used for generating the symmetric key for the session). 
1. Server sends back the server hello message (SSL version used by the session, cypher used, compression used and the session id, random data - used for key generation msg). Finally it sends a digital certificate. 
1. The certificate contains the following information (contains public key of the server, browser uses them to encrypt the data sent to the server, chain of authority that used to generate the certificate). 
2. (establishes the identity of the server that sends the data). 
2. Server sends the “SERVER HELLO DONE” message to the browser. 
3. Browser sends “CERTIFY VERIFY” message to the server saying that the browser has verified the CERTIFICATE. 
1. Browser sends the “CHANGE CYPHER SPEC” command (i.e., from now on the data sent over the network to the server from this https session will be ENCRYPTED).
4. Browser sends the finished message. 
5. Server sends the “CHANGE CYPHER SPEC” command (i.e., from now on the data sent over the network to the browser from this https session will be ENCRYPTED).
6. SSL handshake is complete. 
4. Sending Data over the network
1. Browser generates a secret symmetric key used for this SSL session. 
2. Browser encrypts this secret symmetric key using public key sent by the server and sends it to the server. 
3. All the data henceforth will be encrypted and decrypted using this secret symmetric key. 
4. In case of any issues, the SSL connection is terminated and the browser throws an error.