Hypertext Transfer Protocol (HTTP) is a protocol where communication happens in clear text. To ensure authenticity, confidentiality and integrity of messages Netscape designed HTTPS protocol. Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL (Secure socket layer)/TLS (Transport layer security) protocol. It provides encrypted communication and secure identification of a network web server.
HTTPS encrypts and decrypts the page requests and page information between the client browser and the web server using a secure Socket Layer (SSL). HTTPS by default uses port 443 as opposed to the
standard HTTP port of 80. URL's beginning with HTTPS indicate that the connection between client and browser is encrypted using SSL.
SSL works at the transport layer of Transmission Control Protocol/Internet Protocol (TCP/IP), which makes the protocol independent of the application layer protocol functioning on top of it. SSL is an open standard protocol and is supported by a range of both servers and clients.
SSL works in three phases:
- Authentication – Authentication checks the server who they claim they are.
- Encryption – Encryption with the key exchange creates a secure tunnel and doesn't allow unauthorized person to make sense of data.
- Integrity – Checks that any unauthorized system cannot modify the encrypted data.
SSL handshake uses asymmetric and symmetric encryption. Asymmetric encryption is used to share the session keys and symmetric key algorithm is used for data encryption. Asymmetric encryption has a lot of overhead so not feasible to use for entire session.
Client first requests a HTTPS session to server, then server sends back Certificate which has its public key embedded in it.. Only server has access to this private key no one else.
Now client authenticates certificate against list of known root CAs (If a CA is unknown/self-signed, then browser gives user an option to accept certificate at user's risk). Client will then create a session key which only he knows and will encrypt it with the public key received from the server and then it will send across the internet to the server. Server will decrypt that session key with its private key. Now server and client both know the session key.
Once the SSL handshake is completed and session key is exchanged with the asymmetric encryption. Now the rest of the session is encrypted with the symmetric session key.
We use symmetric encryption because its quicker and uses less resources. Symmetric encryption is used to encrypt the session data.