One of the topics I demystified recently was question of how HTTPS works in general. What happens when you type in your browser address bar URL starting with HTTPS?
HTTPS uses SSL (Secret Socket Layer) encryption for HTTP protocol, which gives HTTPS name.
As of the moment your browser issues HTTPS request to remote server, SSL handshake process triggers. Idea is that browser will request that from then on all the data send to the server and received back from is encrypted, so that no one can tamper the data during client / server communication.
During SSL handshake process client will exchange couple of messages with the server, like:
- It will tell server which encryption algorithm browser supports and asks to be used during HTTPS session
- Server will respond with details of server supported SSL algorithm / version available to be used (according to what client’s browser supports).
- Server will issue digitally signed certificate. Certificate itself is the way for server to prove it is the one our browser believe it is. It’s issued by 3rd party organizations with credibility to issue digital certificates.
- Digital certificate contains server’s public key
- Public key is used for messages cryptography (crypting plain text messages going from browser to server and back)
- Public key is used by clients (in our case browser) to crypt their messages when sending to server.
- In order for message to be decrypted, server contains it’s private key (which is stored in server and is highly secured so that no one has access to it). If someone else could get into server’s private key possession, he / she would be able to decrypt secure messages.
- After browser validates the certificate (decides to trust the server it’s connecting to) it creates symmetric session key which will be used only during current SSL session. That key is encrypted using server’s public key sent previously and only server can decrypt it.
- Purpose of symmetric encryption key is that it’s computationally more efficient to encrypt and decrypt messages using the same key, than using asymetrical crypting (browser crypts the message using server’s public key, and server decrypts the one using own private key) .
- Once more – symmetric key is encrypted using server’s public key when sending to server, so even if someone tampers it – he / she will not be able to decrypt it to get plain value. Having the plain value would enable decrypting any message sent to / received from server.
- Entire HTTPS traffic during this session will be secure using symmetric key.
I hope this helps understanding at high level what happens when your browser wants to communicate securely with remote server.
Stay tuned for upcoming posts!