A Guide to HTTP and HTTPS

Have you ever wondered what is going on underneath the hood as you use the internet?

Image by Markus Spiske on unsplash

Have you ever wondered how is it that the internet works? What is happening as you interact with websites on the internet?

If you are anything like me, you always get this constant itch as you learn something new. I find that as I learn something I tend to get frustrated until I understand the inner workings of it.

Why is this? I am not sure, but I guess it just helps me satisfy the burning curiosity I feel constantly.

In this post, I will explain what is HTTP and the difference between it and HTTPS, as well as discuss my finding at a low level to bring to light how this marvelous technology keeps the internet flowing

What are HTTP and HTTPS

At the most basic level, what happens as you interact with a web page is the browser, also referred to as the client, communicates with the server through various HTTP request methods, each one performing one action or another.

HTTP is the abbreviation for hypertext transfer protocol. This is the main method by with data is transferred over the internet. The data is stored on servers, which are then served to the client as the user requests them via HTTP request methods.

There is however a big issue with an HTTP connection, the data being transferred over this connection is not encrypted, thus it is not ideal to transfer sensitive information.

That is where HTTPS comes into the equation.

HTTPS is the abbreviation for secure hypertext transfer protocol and essentially functions the same as HTTP, with the difference that it tends to use an SSL certificate and TSL handshake

How does HTTPS work and why is it more secure than HTTP?

Essentially the main reason HTTPS is more secure than HTTP is that it uses a TSL handshake, which is the successor of SSL, to secure the connection.

SSL is the abbreviation for secure sockets layer and this was the original encryption protocol developed for HTTP and was what created a secure encrypted connection between the client and the server and allowed data transfer to be secure.

TSL is the abbreviation for transport layer security and a TSL handshake takes place whenever a user navigates a website over HTTPS and the browser first begins to connect to the website’s origin server.

Essentially what happens during a TSL handshake is that the client and server communicate and agree on the encryption protocol before establishing the initial connection, then once this connection has been established they use this encryption for all subsequent communication in the session.

The Steps of a TSL handshake

During the process of a TSL handshake the client and server communicate providing necessary information to create secure symmetric encryption and while the exact steps may vary depending on the key exchange algorithm used the general process is:

1. The client’s hello message. This will essentially include details on what the client supports, i.e: the TSL version and cipher suites. It will also include a random string of bytes, known as client random.
2. The server hello message. This will contain the server’s SSL certificate, the server’s chosen cipher suite, and another random string of bytes, known as server random.
3. Authentication. This is the step in which the client verifies the server’s SSL certificate with the certificate authority that issued it.
4. The premaster secret. The client then sends one more random string of bytes, known as the premaster secret. This secret is encrypted with the public key that the client retrieved from the server’s SSL certificate and can only be decrypted with the private key by the server.
5. The decryption of the premaster secret. The server decrypts the premaster secret.
6. Creation of session keys. At this point, both the client and the server generate session keys from the client random, server random, and the premaster secret. If done correctly both should separately arrive at the same result.
7. The client is ready. The client sends a message indicating that it is finished that is encrypted with the generated session key.
8. The server is ready. The server sends a message indicating that it is finished that is encrypted with the generated session key.
9. Secure symmetric encryption complete. Once we reach this point the handshake is completed and communication continues using the session keys.

During the entire process, the most critical step is that of authentication, where the client verifies the SSL certificate to confirm the identity of the owner of the webserver.

In the end, the result of this entire process is that the client and the server can set up a deeply encrypted connection to pass data securely, one which requires multiple parts of a chain of communication to successfully generate the key required to decrypt the connection.

Having learned all of this it is easy to understand why it has become a common thing to see websites using HTTPS instead of HTTP and also why users tend to display more trust in a web server using HTTPS.