Demystifying HTTPS: How Secure HTTP Protects Your Data

Q1: What is HTTPS?

HTTPS is secure HTTP. It encrypts the normally plaintext HTTP traffic to ensure safe information transmission. The trailing “S” stands for SSL/TLS, which sits between HTTP and the TCP/IP layer.

Q2: What does "information transmission security" mean?

Security has three aspects: 1) Confidential communication between client and server; 2) Data that even if intercepted cannot be understood; 3) Ability to detect if data has been altered; 4) Preventing man‑in‑the‑middle impersonation of the server. Traditional HTTP does not satisfy any of these.

Q3: Isn’t meeting all these requirements exhausting?

Not really; the third requirement can be ignored because encryption already prevents third‑party interference and forgery when properly designed.

Q4: How is the information encrypted?

Symmetric encryption is used first. It is a reversible transformation, e.g., shifting each letter by one ("Hello" → "Ifmmp") with key 1. After establishing a symmetric key, the HTTPS handshake adds two steps to exchange that key.

Q5: How is the symmetric key transmitted?

Sending the symmetric key in plaintext is insecure. Instead, asymmetric encryption is employed: the client generates the symmetric key, encrypts it with the server’s public key, and sends it. The server decrypts it with its private key.

Q6: How is the public key transmitted?

Servers obtain a certificate from a trusted Certificate Authority (CA). The certificate contains the server’s public key, which is signed by the CA’s private key. Clients have the CA’s public key pre‑installed, allowing them to verify the certificate.

Q7: How to know a certificate hasn’t been tampered with?

The certificate’s hash value is sent together with the certificate. Because the hash cannot be forged without the private key, any alteration will be detected during verification.

Q8: Does this prevent a third party from impersonating the server?

Yes, as long as the client trusts the CA’s public key and the certificate is verified, an attacker cannot forge a valid certificate or successfully perform a man‑in‑the‑middle attack.

Q9: Does the HTTPS handshake affect performance?

HTTPS adds some latency due to the SSL/TLS handshake and certificate verification, but the symmetric encryption/decryption overhead is negligible. Subsequent connections can resume sessions, reducing the cost, and HTTP/2 further mitigates performance impact.

Conclusion

The nine questions above give newcomers a solid understanding of HTTPS fundamentals; deeper platform‑specific details require further exploration.

Source: Jianshu (www.jianshu.com/p/072a657337ae)