A word about HTTPS
HTTPS & TLS overview
Days ago HTTPS (secured HTTP) was used mostly to protect privacy, secure payment transactions and accounts. Recently both Google Chrome and Firefox launched browser updates (versions 56 and 51, respectively) that warn users if connection is not secured for every website that use HTTP instead of HTTPS.
HTTPS is an extension of HTTP that uses secure communication between server and client(most commonly browser). It is encrypted using TLS or its predecessor SSL. Secure Sockets Layer (SSL) was the most widely deployed cryptographic protocol to provide security over internet communications before it was preceded by TLS (Transport Layer Security) in 1999. This protocol secures communications by using what’s known as an asymmetric public key infrastructure. This type of security system uses two different keys to encrypt communications between two parties:
- The private key - this key is controlled by the owner of a website and it’s kept, as the reader may have speculated, private. This key lives on a web server and is used to decrypt information encrypted by the public key.
- The public key - this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key.
SSL/TLS handshake
One of the most important parts of the SSL/TLS protocol is the SSL/TLS handshake. The handshake is where each connection is established. The TLS handshake consists of three steps:-
Setting up cipher suites.
So, the first steps of the TLS handshake require the client (usually different browsers) and server(NGNIX, Apache, Windows Server) to share their capabilities so they can find the cryptographic tools they mutually support. Once a client and server agree on the exact encryption methods they will use. This is called a cipher suite.
-
Authenticating both server and client side.
Then the server sends the client its SSL certificate. The client performs several cryptographically secure checks to make sure the certificate provided by the server is authentic. This includes checking the digital signature and making sure the certificate originates from a trusted CA (Certificate Authority).
During this stage, the client also verifies that the server owns the private key associated with the certificate. The server sends the public key through the SSL Certificate. The client will encrypt random data with the public key. The server will only be able to decrypt and use that data if it has the private key, which provides proof of possession.
The public key is used to encrypt data and the private key is used to decrypt. This is known as “asymmetric” public key encryption because the two functions are performed by different keys. The encryption is effectively one-way.
-
Exchanging symmetric session keys.
The session key will be generated with the public key. Session keys are “symmetric,” meaning the same key is used for encryption and decryption. This is the key that will actually be used for secure communication.
Once the SSL handshake is complete, the encrypted and authenticated HTTPS connection begins and all the data being sent and received between you and the server is protected using the session key.
A word about certificates
SSL certificates need to be issued from a trusted Certificate Authority such as Let's Encrypt, Digicert, GoDaddy and GlobalSign. The Root Certificate must be installed on the end user's machine (web server) in order for the Certificate to be trusted.
Certificates can be divided into three authentication groups, based on the level of authentication, which are:
-
Domain Validation SSL Certificates
These require owners to prove their control over the domain name. The certificate contains the domain name that was supplied to the issuing authority as part of the request.
-
Organization Validation SSL Certificates
This requires businesses to not only prove they own the domain name they wish secure, but also prove that their company is registered and legally accountable as a business. The issued certificate is then proof of domain and company name. This level of authentication is suitable for public-facing websites that collect personal data from site users.
-
Extended Validation SSL Certificates
Helps protect users from providing their details to fake website which can be used by criminals for phishing. EV SSL requires both of the above validations for domain and company as well as several additional verification steps related to proving that the SSL certificate belongs to a registered company. This extra company information is then represented in the issued certificate on the address bar and can be accessed from many web browsers by clicking on the padlock icon. This type of certificate is also available to organizations and businesses only.
Learn more about https and certificates from these cool comics.