Have you ever wondered how websites communicate with web browsers and request data from servers to render content on your screen? I used to have those questions too.
If you’re curious about how the Internet works, you’ve come to the right place. In this article, let’s dive into the workings of HTTPS and understand its vital role in the World Wide Web.
Humble Beginnings on the WWW
To understand HTTPS, we first need to know about its ancestor, HTTP (Hypertext Transfer Protocol). HTTP is a common protocol used for communication between websites and browsers across the Internet. It forms the backbone of the entire World Wide Web, enabling information exchange and connections.
HTTP Requests and Responses
HTTP operates on a request-response basis, where clients (browsers) send HTTP requests to servers, and servers respond with HTTP responses. These requests and responses are typically facilitated by the Transmission Control Protocol (TCP).
HTTP requests contain crucial information, such as the HTTP version, client hostname or URL, HTTP method, request header (providing data type preferences, user-agent details, etc.), and an optional HTTP body for data submission.
On the other hand, HTTP responses from the server include the HTTP status code, response header, and response body, containing the requested data.
How HTTP works
Let’s see how a common HTTP communication occurs between clients and servers:
- The user enters a domain name (e.g., google.com) into the browser.
- The browser acts as the client and sends a “
GET” request to the server hosting the specified address.
- The server receives the request and analyzes the desired response, which could be media, JSON, HTML, CSS, etc.
- The server sends back the response to the client.
- The client (browser) receives the response and renders or executes the content based on the requested information.
In reality, HTTP supports various methods for clients to send requests, such as
DELETE, each serving a specific purpose.
Why we need to secure our HTTP requests
However, while HTTP is vital to the Internet’s functioning, it has its shortcomings. One of the major drawbacks is its lack of security, particularly concerning data privacy, integrity, and identification.
Data privacy is compromised since HTTP communication is not encrypted, making data transfer vulnerable to eavesdropping by malicious entities. This poses a severe risk, especially when sensitive information like login credentials or bank details are involved.
Integrity is also at risk as the data sent between clients and servers is not encrypted, making it susceptible to tampering without detection. Lack of integrity can lead to misunderstandings and incorrect data interpretations.
Additionally, HTTP does not provide any built-in mechanisms for verifying the identity of communicators, potentially leaving it open to impersonation attacks like man-in-the-middle attacks.
What is HTTPS?
To address these issues, HTTPS (Hypertext Transfer Protocol Secure) was introduced. It extends HTTP’s features while adding a crucial security layer using Transport Layer Security (TLS) for data encryption.
Before HTTPS, the transferred data somehow looks like this:
GET /HTTP/1.1 Host: www.shepdesign.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html,application/xhtml+xml
The informations are all shown through the eyes of the attacker. Now with the help of encryption using HTTPS, the data is encrypted and looks like the below:
With HTTPS, the transferred data is encrypted, safeguarding it from eavesdropping. Moreover, a digital signature is attached to the transferred message, ensuring the identity of the receiver.
The process of how HTTPS works involves establishing an HTTPS connection with the server using “
https://” instead of “
http://” This initiates a TCP connection, and the client and server exchange SSL information through a three-way handshake.
The SSL certificate contains the server’s public key, hostname, expiry dates, and more. After validation, the client generates an encrypted session key using the public key, and the server decrypts it using its private key. This shared encrypted session key allows a secure connection to be established, enabling bi-directional transfer of encrypted messages.
In conclusion, while HTTP is crucial for Internet communication, its lack of security makes it vulnerable to various risks. HTTPS, with its encryption and identity verification mechanisms, ensures safe and secure communication between clients and servers, addressing the shortcomings of HTTP and safeguarding users’ data privacy, integrity, and identification.