DEV Community

Karthik Raja
Karthik Raja

Posted on • Originally published at

How HTTPS is secure?

We saw what is HTTP in another post. So now we will see
how HTTPS works.

What is HTTPS?

HTTPS means Hyper Text Transfer Protocol Secure.

Why do we need HTTPS?

To transfer data to a server securely.

Let's say you are sending some money to Alice. You are entering Alice's account number and amount in the bank website's form and clicking submit button. But what if someone who is connected to your network intercepts your request and changes Alice's account number to their account number.
Well, you will lose money if the bank's website does not have HTTPS protocol.

This type of attack is called a middle man attack. In order to prevent this type of attack, we should encrypt our data and send it to the server. The server will then decrypt data and then use it.
This encryption, decryption, and protection integrity of your data is handled by HTTPS.

How does HTTPS protect your data?

HTTPS uses Transport Layer Security (TLS) protocol to send data securely to the server.

Factoid: Transport Layer Security is the successor protocol to SSL (Secure Sockets Layer).
SSL is now obsolete and TLS is the new name for SSL protocol. Almost all websites that use
HTTPS uses TLS but everyone knows/says it is SSL.

Enter fullscreen mode Exit fullscreen mode

Initially, the browser sends a handshake message to the server which contains data like the TLS version the browser supports, which cryptographic algorithm and a secret message called "client random".

Upon receiving the handshake server will send back an acknowledgment along with a digital certificate and random secret called "server random". This digital certificate contains a public key, which can be used to encrypt the messages sent to the server.

Once the client receives the digital certificate containing the public key, it will then send a secret key(premaster_secret) which is encrypted using the public key from digital certificate. Then server uses its private key to decrypt the message and will retrieve the secret. By using this client random, server random, and premaster_secret both server and client can create a secret called master secret. With this Handshake is complete. Now we have a secure secret key.

Now the form data which is sent to the server is encrypted using the master key. This master key is only known to the browser and the server. So middle man cannot decrypt your data without the secret.

Top comments (0)