Nowadays, many sserver are relying on HTTPS. Along with secure transactions, many web servers are using HTTPS for browsing also.
This raises a question in our mind. Why HTTPS and how is HTTPS more secure than HTTP?
What is HTTPS
When we type URL in the browser, an HTTP request goes to the server and the server responds with appropriate HTML page. Now, HTML is a stateless protocol. This means, everytime the browser wants some data from the server, a new connection is established to the server and the client waits. The server sends response and closes the connection.
If we think about security, HTTP is an unsecure protocol. When data travels between the client and the server, it is unencrypted and as a result, not safe from Man In The Middle Attack. And so, HTTPS was developed.
This HTTPS uses SSL/TLS for security.
So, what does it mean?
That means, all data transferred between the server and client gets encrypted first. First, a TLS connection is established between the server and client and a key is negotiated between them. And then, all data is encrypted with the key and sent over.
How does HTTPS work
So, how does HTTPS work actually?
When a URL is typed in the browser, the server is connected. When a server supports HTTPS, it generates a public-private key pair and keeps the keys with itself. So, whenever a connection is requested to the server, it sends the public key of the key-pair to the client.
The client receives the public key of the server and verifies the authenticuty of the server’s public key with a Certificate Authority. This step is done so that someone malicious cannot forge the public key of the server and send its public key instead.
After the public key is verified, it is time for the server and the client to negotiate a symmetric key using which they can encrypt the data and send over. Using symmeteric key along with encrypting it with the public key of the server ensures more security.
Here, the server and client uses Diffie-Hellman Key Exchange Algorithm to make sure a symmetric key is negotiated between the server and client, yet the key itself is never communicated directly between them. Instead, some mathematical formula is used between them to derive the key.
Once the symmetric key is derived, next the job is simple. Whenever any data communicates between the server and the client, the data is encrypted first with the symmetric key and then with the public key of the server and then communicates between them.
How secure is HTTPS
So, here comes the immediate next question, how secure is HTTPS?
It is pretty secure. Even if somene malicious intercepts the connection or performs Man In The Middle Attack, he will not be able to decipher the packets.
So, if you search something in Google, the attacker will probably know that you are having some activity in Google Search, but he won’t be able to decipher what you are searching there.
So, this was just an informational blog. Stay safe, stay secure!!