How Carrier Pigeons Explain HTTPS: From Caesar Cipher to Public Keys

Alice, Bob, and the Pigeon

In everyday online actions—reading this article, buying on Amazon, or uploading a pet photo—messages travel between your device and a server. To make this concept tangible, we imagine the messages being carried by carrier pigeons, a much slower but illustrative analogy for HTTPS.

First Communication

If Alice wants to send a message to Bob, she ties a letter to a pigeon’s leg. Bob receives the letter happily. However, the eavesdropper Mallory intercepts the pigeon mid‑flight, opens the letter, reads it, and even alters its contents before letting the pigeon continue. Bob receives a tampered message, unaware of the interference. This mirrors the insecurity of plain HTTP.

Encryption Algorithm

Alice and Bob decide to use a simple shared secret: a Caesar cipher that shifts each alphabetic character three places (e.g., D→A, E→B, F→C). The phrase "secret message" becomes "pbzobq jbppxdb". Mallory, lacking the key, cannot understand or modify the ciphertext. Bob, knowing the shift, easily reverses it to recover the original text. This demonstrates symmetric‑key encryption.

How Do We Determine the Key

Symmetric encryption is secure only if no one else knows the key. If Alice and Bob have never met, they cannot safely exchange the key; embedding it in the message would let Mallory discover it and decrypt the content—a classic man‑in‑the‑middle attack. The solution is to redesign the system using asymmetric cryptography.

The Pigeon Carries a Box

Alice and Bob redesign their communication: Alice releases a pigeon without a message; Bob attaches an open box (holding the key) to the pigeon and sends it back; Alice locks the box with her message inside and returns it; Bob unlocks it with his key to read the message. The locked box represents a public‑key encryption system, where the box is the public key and the key to open it is the private key.

How Do I Trust This Box

Even with a locked box, Bob must be sure it truly came from Alice. They introduce a trusted third party, Ted, who signs boxes. Ted, acting as a Certificate Authority, verifies identities before signing. When Bob receives a box signed by Ted, he can trust its origin, mirroring digital certificates in browsers.

The Box Is Heavy

While the locked‑box (asymmetric encryption) ensures authenticity, it is slower. Alice and Bob therefore use asymmetric encryption only to exchange a symmetric key (the Caesar‑cipher shift), then communicate efficiently with symmetric encryption. This hybrid approach combines the reliability of public‑key cryptography with the speed of symmetric cryptography.

Conclusion

In practice, asymmetric encryption is slower than symmetric encryption, so it is used primarily for key exchange, while symmetric encryption secures the bulk of the data. With this pigeon analogy, you should now have a clear mental model of how HTTPS works.