DEV Community

Cover image for HTTPS – What’s the Big Deal?
Harish for Right From Basics

Posted on • Updated on • Originally published at rightfrombasics.com

HTTPS – What’s the Big Deal?

What is HTTP?

HTTP stands for Hypertext Transfer Protocol. It is the protocol used by the World Wide Web and it forms the basis for how data is transmitted over the Internet and how servers and browsers respond to various requests. Essentially, it the "procedure" which helps define how data or messages should be exchanged by different parties on the Internet.

The Problem with HTTP

The problem with HTTP is that it does not provide for Integrity, Authentication and Privacy. That means data transmitted over HTTP alone is easy to intercept and makes you susceptible to a whole range of attacks which can compromise the 3 factors mentioned above (which you would ideally want when you surf the web).

How about HTTPS?

HTTPS is essentially HTTP running over Secure Socket Layer (SSL). HTTPS works by encrypting the HTTP message before the exchange and when received on the other side, it decrypts the message.

In comparison, if HTTP is used, sensitive information which may be credit card information, your identity numbers, login credentials such as passwords etc. will be transmitted over the server as plaintext. This leaves the exchange vulnerable to "eavesdropping" which means an attacker can intercept the message and use it for harmful purposes.

How do SSL Certificates work?

  • When a browser/server tries to connect to a webpage secured with SSL, it first requests the web server to identify itself.
  • The web server then sends the client or server its SSL certificate.
  • The browser checks the SSL certificate to know if it can trust it. If it is able to trust the SSL certificate, it sends a message to the web server acknowledge this.
  • The web server is now ready to establish an SSL encyrpted session with the client/server and sends a digital acknowledgement back.
  • Now when messages or data is transferred between these 2 entities, they will be encrypted based on a mutually agreed ciphersuite.

The above process where the browser and web sever initiate a secure session is called an SSL Handshake.

Note: Anyone can create a SSL certificate, but it must be digitally signed by a trusted Certification Authority (CA). Most computers come with a pre-installed list of CAs they can trust and when the browser checks the SSL certificate, it verifies the digital signature against this list.

Public and Private Keys

You would have probably heard about asymmetric cryptography, also known as, public-key cryptography. In this type of asymmetric encryption, two types of keys are involved: public key and private key. The names speak for themselves. Public keys are made public, that is anyone is able to know them. Private keys are private, which means no one other than yourself will be able to access this private key.

Now when someone wants to send me some document, they will simply encrypt the document with my public key (which is accessible by anyone and everyone). Then, they send me this document. Now, I just need to use my private key (which is only known to me) to decrypt this. This ensures that only the intended receipient of the message will be able to decrypt and hence, access the message.

Similarly, if I am sending someone my document, I will encrypt the document with my private key. The receipient of the document will now use my public key to decrypt it and access the document. This helps to identify that the document truly came from me.

SSL Transaction

To set up the SSL session, we need 3 keys: public key, private key and session key. As disucussed above the public and private keys are effective in ensuring that the data is reliable and authentic. However, this requires considerable amount of processing power. Hence, we use the session key to encrypt any transmitted data following the SSL handshake.

Adding SSL to your website

To add SSL, you will have to first purchase a SSL certificate, activate it, install the certificate and finally configure your site to use the certificate. There are tons of tutorials online on how to do that.

You can also get free SSL protection with Cloudflare. To know how you can add free SSL to your website, check this post out!

Looking for Hosting?

Both services offer great uptime and customer service. Oh did I mention - you get a free domain name with both Bluehost and Hostinger!

Top comments (1)

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...