HTTPS stands for hyper text transfer protocol secure.It is a protocol used by the application layer in TCP/IP model.
Before getting to know more about https let's quickly get know what is http.
Http too is a protocol which is used to transfer hypertext over the web.For example when we load our browser and searches something a GET request is sent by the browser to the server. Then the server responds to this request and the client sees the result. The problem with this is that the request is sent in plain text format.So the communication channel is not secure.Due to this reason https was made secure and the secure version is called https .It is the secure version of http.
Its uses protocols such us SSL/TLS to encrypt the data that is being sent.So even if someone interrupts the data they wouldn't be able to see any sensitive data.
They could only see the encrypt text.
Https uses both symmetric and asymmetric encryption for data communication.
This system uses two keys to encrypt data communication between 2 parties
The first key is called public key and is known by both the browser and the web server.This key is used to encrypt the data that is being sent.The public key is shared between the server and the browser when a new session is created.For decrypting this data we need the the second key or the private key.Unlike the public key the private key is only known by the web server.This key is used by the sever to decrypt the message.In this way the data is well secured and without the knowledge of the private key the data couldn't be decrypted.Thus a secure communications is established.Https is not a seperate protocol from http.It simply uses TLS encryption over the http network.The process of TLS involves a process called TLS handshake.
It involves a series of message passing between the browser and the server.
This is done in order to verify the server's licence and also to agree upon the session key which is needed for communication.
The first step involves the client browser sending a "client hello" message to the browser.
The message contains the TLS version supported by the client,the cipher suits supported by the client and also the compression algorithms supported by the client.
The server then responds back with the "server hello" message.It contains the cipher suit preferred by the server and other bytes of data.The server also sends its digital certificate
Then the client verifies the certificate sent by the the server .The certificate also contains the public key.Then a pre-master key is sent by the client.It is encrypted using the public key.The pre-master key contains details on generating the session key that is to be used for communication.
Upon receiving the message the server uses the private key to decrypt the pre-master key.Then both the client and server generates the session key using this pre-master key.Then onwards this session key is used for communication till the session ends.
After generating the session key the client sends a "finished" message that is encrypted using this session key.
Then the server sends a "finished" message encrypted with the session key.
By this the TLS handshake procedure is completed and both the client and server uses this key for communication until the session is terminated.
This is how the messages that we sent through https are encrypted and secure.
This makes HTTPS highly secure and can be used to communicate highly confidential data such as credit card information,bank details etc..
So why do we need https...?
Because HTTPS ensures encryption,authorization and data integrity between the client and the server.In the current era information and data is very much valuable.Confidential data is being sent through the internet.So it is essential to ensure that this data is sent securely and it is not lost.Also the data sent by the client should reach the correct destination.
Https ensures all this.