Understanding HTTPS

Shardul Pathak — Sun, 11 Jul 2021 09:21:11 +0000

In this post, we are going to deep dive into HTTPS.

This post contains the following points:

Overview of HTTP
Overview of HTTPS
How HTTPS connection is achieved

HTTP

It is a protocol from the application layer used for the transfer of hypertext, image, videos, etc from client to server.
During client-server communication, the data travels from several devices which are called proxies.

Before a client and server can exchange an HTTP request/response pair, they must establish a TCP connection, a process that requires several round-trips.

After successful connection client can send requests to & read responses from the server. Then it can reuse the connection or can close it.

HTTPS

HTTPS is just a secure HTTP connection between client & server needed to achieve 3 main goals:

Privacy: Only you can see your data.
Integrity: There is no tampering of data while transfer from client to server.
Identification: The website we are visiting is actually that rather than any other proxy.

How HTTPS connection is achieved

To make the connection secure SSL/TLS security gets added to the previous HTTP stack.

To transfer data between any two entities securely on the internet it should be encrypted using some encryption technique. Cryptographic algorithms are used to make such encryption.
Let's talk about the two types of encryption algorithms.

Secret key cryptography: Anyone having this key can either encrypt or decrypt the data.Where Ciphertext is encrypted data.
Public-Private key cryptography: public key has the ability to only encrypt the message & only the private key can decrypt it.

Secret key cryptography can't be used directly for communication on the internet. But Public-Private key cryptography is computationally costly than its counterparts in secret-key cryptography.

Also there is one more caveat, anyone in between client and server such as proxy servers as shown above can pretend that they are the actual server.
For ex: If you made a request to google.com from a browser and the device in between can pretend that they are actually google and send you a response and maintaining connection from their own end to google server. This is called a middle man attack.

To prevent that there are third-party Certification Authorities present. A root store is basically a database of trusted CAs which is preinstalled on each browser.

Let's take a walkthrough of how HTTPS achieved:

Browser sends a list of SSL/TLS versions and encryption algorithms that it can work with a server of that site.
Server chooses the best algorithm generates public and private keys.
Then server reaches to CA and gives it's public key to get CA signed Public key certificate.
Sends this certificate to the client in response. The client verifies that this response is from a valid source by decrypting the signature present in the signed certificate.
If valid then it generates the pre-master key and sends it to the server encrypting with the public key sent in a previous response.
On server, it decrypts data using the private key present.
Now they both generate the same 'shared secret' that they are going to use as a symmetric key to encrypt and decrypt data.
This is called a TLS handshake.

Well, this is how both secret-key & public-private key cryptography are used in combination to achieve HTTPS connection.

Cross Origin Resource Sharing

Shardul Pathak — Tue, 17 Nov 2020 17:44:28 +0000

What is CORS?

Simply CORS is fetching resources from other application having a different origin than the client-side.

Who applies CORS?

Applying a CORS restriction is a security feature defined by a server and implemented by a browser.

How to know we are making a cross-origin-request?

First, we have to know what origin comprises of.

So when we make a request to an origin which differs in any of the above mentioned parameters then it is CORS.

So how it works:

So when any application having endpoint https://example.com makes a request to a https://example-server.com browser embeds

in the request.

When the server receives a request & if it wants to share its resources then it will add

Along with that server also adds another field response.type of cors or opaque which can be useful to know if you don't have control over server side api.
If a request is made for a resource on another origin which returns the CORS headers, then the type is cors.
Opaque response is for a request made for a resource on a different origin that doesn't return CORS headers.
When the browser receives a response if it finds the relevant Access-Control-Allow-Origin header, the browser allows the response data to be shared with the client site.

Thanks.