HTTPs is just the HTTP protocol but with data encryption using SSL/TLS
TLS provides encryption, authentication, and integrity.
Let’s understand how.
Encryption
Why?
Why encryption is required in Https?
It is simple. To make data unclear to the middle man and clear to client and server.
The client (browser) and the server establish a TCP connection.
How?
How this encryption is ensured?
When the TLS connection is first opened.
The client sends a “hello” to the server. The message contains a set of necessary encryption algorithms (cipher suites) and the latest TLS version it can support. The server responds with a “ hello” so the browser knows whether it can support the algorithms and TLS version
Server sends its public key to the client and a hello done message.
Why it just not share its public key? Why certificate is required?
For that we need to ask below questions to ourselves
How client will verify that the server is the one who it claims to be?
How to verify google.com and not gooogle.com? What if any one changes the public key in between?
So here comes the TLS authentication/ SSL certificate to the rescue
I will talk about it in detail my next article 😁 but for now lets talk about encryption
The client generates a session key and encrypts it using the server public key and sends decrypted session key to the server.
Server decrypts the session key with its private key.
This is asymmetric encryption.
Wondering how is it even possible? Decrypt with some other key; encrypt with another key. Thanks to mathematics
Now both the client and the server hold the same session key.
The encrypted data is transmitted in a secure bi-directional channel using symmetric encryption, where data is encrypted and decrypted by session key
The session key is periodically renegotiated to minimize the amount of data that can be deciphered if the shared key is broken.
Why symmetric encryption?
Because symmetric encryption is fast and cheap whereas asymmetric encryption is slow and expensive.
Are all HTTPS websites secure to use?
NO
HTTPS encryption only protects your data while it’s transmitting to the website. Once the data reaches the website, it’ll be decrypted and then it’s up to the website owner what happens to your data from that point onward.
Copyright © 2023 fintechcoddler.blogspot.com