HTTPS , TLS, SSL, CA, Encryption & MITM attack !

None of the above words have to make sense to you just yet. Go and grab a 🍺, give a HUGE ❤️ and smash the 🔥 Follow 🔥 button as we dive right in to it!

Encryption is a way to convert data into special text (that is un-processable in itself) so that only the encryptor and the person intended to receive the data can convert it back a.k.a decrypt it to the original form.

This conversion happens with the help of a 🔑! which again is just a random string text. !

const key = UUID.random() // this is shared between the encryptor and the decryptor 

const encryptedMessage = functionThatEncrypts(plainMessage, key) 

const plainMessage = functionThatDecrypts(encryptedMessage, key)

Notice in the above example we used the same key to encrypt as well as decrypt the message. This type of encryption is called Symmetric encryption and when we have two separate keys it's Asymmetric encryption

A commonly followed process to do the same - Advanced Encryption Standard AES

Now think of a case where two computers that knew each other beforehand have to share some secret data over the internet . How can they do it ?

1. Decide on a common key while being offline to use, and not share it with any other computer.

2. Then use that key to encrypt and decrypt data while talking online

As a result no-one online or offline can possibly make out what they are talking ! This is a secure connection 🙌 powered by Symmetric encryption

But more often in real life two computers have to talk for the first time online . So if they decide on a common key they would have to first share the common key with each other in plain text online !

That's crazy because the internet is like an open connection and any person sniffing on the network can make out what your apparently secret key is ! 🔐

And then use it to imitate Computer A to Computer B and Computer B to Computer A whilst getting to see the entire chat 💭 that's going on. And worse, the attacker can manipulate packets coming from Computer A and send to Computer B for his benefit ! like asking for credit card details via supplying wrong HTML to legitimately requested webpages. 💥 ٩(๏_๏)۶ 💥

The above is called MITM - Man in the Middle attack

Solution for the above problem -

Send the secret key via a rocket to the other computer's location each time you wanna make a request !

But it's a little expensive !

So we use Asymmetric encryption to address the issue.

This involves 2 kinds of keys - One for encryption which is publicly available and the other for decryption which is private.

Important part is that any data which is encrypted using public key can only be decrypted using the private key 🔑

const { publicKey, privateKey } = AES.generateKeyPair()

const encryptedText = functionThatEncrypts(plainText, publicKey)

const plainText = functionThatDecrypts(encryptedText, privateKey)

Now we'll learn how we can use that functionality to send a common key that both the computers agree to, online, except that this time it will be encrypted ! This does not leave room for deciphering intercepted data.

1. Computer A initiates a connection to Computer B by sending a plain text hello ! 👋 This of course contains information like srcIP, srcPort, etc.

2. Computer B then sends its public key to Computer A as a response packet

3. Computer A now uses the public key to encrypt another key 🔑 of its own which will later work as the common key. This encrypted data is known an Premaster Secret and will be sent to Computer B
   

// On side of Computer A

const finalKey = UUID.random(128) // generated by Computer A
const publicKey = receiveFromComputerB() // Step 2

const premasterSecret = functionThatEncrypts(finalKey, publicKey)

sendToComputerB(premasterSecret)

Remember: Our goal is to share a common key without the fear of being deciphered on interception - so in this way we can get back to talking with Symmetric encryption

Computer B can decrypt it using its private key. And no other computer (even Computer A) at this point can decrypt the premaster secret.

// On side of Computer B

const premasterSecret = receiveFromComputerA()

const privateKey = .... // generated as a pair along with public key

const finalKey = functionThatDecrypts(premasterSecret, privateKey)

*Now both computers share a common key * finalKey !

The above 3 step process is called the Transport Layer Security Handshake. (TLS)

Buuuu......t we are not done yet because clearly in Step 2 the public key transfer to Computer A can be intercepted by a man in the middle who can totally represent himself falsely to Computer A.

Hence Computer A needs to be able to verify that the public key it receives is from Computer B.

Solution - SSL (Secure socket layer)

Yes ! Computer B needs to send the pubilcKey through a privately signed SSL certificate and not directly. The reason is Computer A on the receiving end can get the certificate verified through a Certificate Authority (CA) which is a 3rd party service that helps verify server profiles on the internet ! Details of which I will not dive into in this blog coz it's a noob's blog.

So now when SSL is used, the HTTP requests become secure by a million times and its called HTTPS.

That ends my blog. 🔥 Follow 🔥 me for more sweet content don't miss out cuz I am about to blow your brains out !

Thanks for reading !

Feel free to comment down below any of your questions and I will try my best to answer them.