Kai Ler's Portfolio

4.11 SSL, TLS, HTTP, HTTPS

3 min read

Hypertext Transfer Protocol (HTTP)

  • Used for viewing webpages on the internet
  • All information is sent in clear text, vulnerable to hackers

Secure Hypertext Transfer Protocol (HTTPS)

  • HTTP with a security feature
  • Encrypts data that is retrieved by HTTP, making data hard to read
  • Does this with encryption algorithms to scramble the data that is transferred
  • Does this with either SSL or TLS
  • Most websites use HTTPS by default

Secure Sockets Layer (SSL)

  • Protocol used to ensure security on the internet
  • Uses public key encryption

How it works

  • When a computer connects to a website using SSL, the browser will ask the website to identify itself
  • The server then sends a copy of the SSL certificate (small digital certificate used to authenticate the identity of the website)
  • If the client trusts the SSL certificate, it will then send a message to the server which the server will acknowledge
  • Encrypted data can now be exchanged

Transport Layer Security (TLS)

  • Successor to SSL
  • Latest industry standard cryptographic protocol
  • Authenticates the server, client and encrypts the data, similar to SSL

HTTPS illustrated

  • Without HTTPS, communication between browser and server is in plaintext
    • Bad for sending passwords and other important information
  • HTTPS solves this by encrypting the data sent, making it unreadable by anyone other than the sender and receiver
  • Extension of HTTP
  • Data is sent as an encrypted form using TLS (transport layer security)
    • If data is intercepted, all they can see is jumbled data

TLS handshake (TLS 1.2)

Steps:

  1. TCP Handshake: Browser establishes a TCP connection with the server
  2. Certificate check: TLS handshake begins here:
    1. Browser sends client hello to the server, telling the server the following information:
      1. What TLS version it supports
      2. Cyber suite it supports (set of encryption algorithm used to encrypt data)
    2. Server chooses cyber suite and TLS version to use, and sends those in a server hello message back
    3. Server then sends certificate to the client, including many information, most importantly the public key for the server
      1. Used for asymmetric encryption, data encrypted by the public key can only be decrypted by the private key’
    4. Server Hello Done
  3. Key Exchange: client and server come up with the shared encryption key to use to encrypt data
    1. Client key exchange, changer cipher spec etc.
    2. Depends on the cyber suite used
    3. EG RSA: client generates an encryption key called session key, and encrypts it with the server public key, and sends it to the server. Server decrypts session key with its private key
  4. Data transmission: uses session key and cyber suite to send encrypted data back and forth in a secure bi-directional channel

TLS 1.3

  • TLS 1.2 takes 2 round trips to complete the handshake, but TLS 1.3 optimises it to 1 round trip
  • RSA is no longer supported for key exchange, instead diffie-hellman is used

Graph View