How HTTPS Works - Why Communication is Secure

What is HTTPS

HTTPS (HyperText Transfer Protocol Secure) is a protocol that adds SSL/TLS encryption to HTTP. It encrypts communication between web browsers and servers, preventing eavesdropping and tampering by third parties.

Key Point: HTTPS URLs start with “https://” and a lock icon is displayed in the browser’s address bar.

How SSL/TLS Encryption Works

HTTPS uses SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security) to encrypt communication.

1. TCP Handshake

First, a normal TCP connection is established. This is done through a 3-way handshake (SYN → SYN-ACK → ACK).

2. TLS Handshake

After the TCP connection is established, the TLS handshake begins:

1. Client Hello: Client sends supported cipher suites and TLS version
2. Server Hello: Server selects the cipher suite to use and sends its certificate
3. Key Exchange: Using public key cryptography, securely exchange a shared key (session key)
4. Encrypted Communication Begins: Subsequent communication is encrypted with the shared key

Public Key and Symmetric Key Cryptography

HTTPS uses a combination of two types of encryption:

Public Key Cryptography (Asymmetric Encryption)

• Uses a pair of public and private keys
• Data encrypted with the public key can only be decrypted with the corresponding private key
• Used for key exchange (computationally expensive, not suitable for large data)

Symmetric Key Cryptography

• Uses the same key for encryption and decryption
• Fast and suitable for encrypting large amounts of data
• Used for actual data communication

Why use both: Public key cryptography is used to securely exchange a “shared key,” and then the fast symmetric key cryptography is used for communication. This is called hybrid encryption.

The Role of Certificates

SSL/TLS certificates are digital certificates that prove the identity of a server:

• Authentication: Confirms that the communication partner is the genuine server
• Public Key Distribution: Safely distributes the server’s public key
• Chain of Trust: Signed by a Certificate Authority (CA) to guarantee trustworthiness

Summary

HTTPS uses a hybrid approach combining public key and symmetric key cryptography to achieve secure and efficient encrypted communication. Combined with certificate-based authentication, it supports safe communication on the Internet.