DEV Community

Prashant Pandey
Prashant Pandey

Posted on • Edited on

How http became the https that we know today?

The only difference that one can notice between http and https by just looking at the words is the letter s, but this letter s has quite a big story of it's own. The s in https, adds security to the http protocol which was previously unencrypted, and it's understood if you know what both of these words stand for.

http -> Hypertext Transfer Protocol
https -> Hypertext Transfer Protocol Secure

This all started around the very beginning of 1990s, when the Researchers at Netscape felt the need of securing or more precisely encrypting the requests that were sent across oceans and continents over the Internet, jumping from one router to another, flowing through cables underneath the ocean, between computers(well at that time the World Wide Web comprised mainly of computers unlike today where we even have refrigerators connected to the internet), naked to anyone who could intercept them. But before they could start working on some type of Encryption Layer or Model, they first had to decide that where will the data be encrypted. They had 2 options, they could either encrypt some critical data of an http request and then send it over TCP in which case, the encryption model would solely be used with http, but the internet does not solely comprise of http requests, there are other protocols which are used to send data, or they could encrypt the IP packets, in which case there would be a problem of configuring routers so that they may be able to understand those packets after they are encrypted. So, the Researchers decided that they wanted this Encryption Model to work with any other protocol, they did not want it to be used only with the http protocol, for which they decided to put this protocol in between http and TCP layer i.e whole of the http request will first be encrypted and then it would be sent over TCP.

The very first version of the Security Protocol that was developed to secure http was SSL 1.0 (acronym for Secure Socket Layer 1.0) developed by the Researchers at Netscape, but this very version, SSL 1.0 was never made public, it was only used internally at Netscape. SSL 1.0 had many security flaws in it.

In 1995 SSL 2.0 was published. This version also had some serious security flaws like it used the TCP FIN, ACK packet to indicate the end of data which could easily be forged by an attacker, it also had no protection for the SSL handshake that would be performed before the computers start sending encrypted data, which means that a man-in-the-middle attack could be carried out and there were some other flaws in addition to the above mentioned ones.

After the release of SSL 2.0 Microsoft tried to step into the picture by releasing it's own Security protocol The PCT or The Private Communication Technology. It was quite similar to the SSL 2.0 but with some of the security flaws taken care of.

In 1996 SSL 3.0 was made published by Netscape. This version was better than 2.0 as it had SHA-1 based ciphers and also with the added security of Certificate Verification. SSL 3.0 was the last Secure Socket Layer version that was published because after this it was renamed as Transport Layer Security. So, SSL and TLS aren't different protocols they are they same.

The SSL 3.0 had some features incorporated from PCT in addition to SSL 2.0. The IETF(Internet Engineering Task Force) decided that instead of coming up with different ideas to handle the same issue, they should work together and that is how TLS was born.

It was not until 1999 that TLS 1.0 was published. There weren't drastic changes between SSL 3.0 and TLS 1.0. TLS 1.0 can be thought of as SSL 3.1.

All the SSL versions were developed by Netscape and made public.

Tim Dierks later wrote that these changes, and the renaming from "SSL" to "TLS", were a face-saving gesture to Microsoft, "so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol".

Source Wikipedia

After TLS 1.0 there were three other versions of TLS 1.1, 1.2 and 1.3 that were published in 2006, 2008 and 2018 respectively, each having enhanced security features, removing the flaws of its predecessor.

All the versions of SSL along with TLS 1.0, 1.1 and 1.2 have been deprecated because of some serious security flaws that were found in them or because they were prone to attacks that can't be prevented with the ciphers used in them.

So, https is what it is, because of TLS that stands between http and TCP, there is no difference between them if we remove TLS.

Top comments (0)