How HTTPS Uses Zero‑Knowledge Proofs to Secure Your Web Traffic

Introduction

It may seem deep or simple, but you encounter HTTPS every day. Let’s explore it in a non‑academic way within 15 minutes.

Zero‑Knowledge Proof Analogy

Imagine you know the password to a locked room. You can either reveal the password (leaking it) or open the door and show an object inside. The second method mirrors zero‑knowledge proof: proving knowledge without revealing the secret.

1. HTTPS Fundamentals

1.1 What Is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) adds a security layer between the application and transport layers. The security layer is SSL/TLS.

1.2 How HTTPS Guarantees Secure Communication

Encryption – Prevent Eavesdropping

Symmetric encryption uses the same key for encryption and decryption, offering fast performance. Asymmetric encryption uses a public key for encryption and a private key for decryption, providing secure key exchange but with higher computational cost.

The actual HTTPS encryption process: negotiate a symmetric key using asymmetric encryption, then use that symmetric key for data transfer.

RSA Example (Asymmetric Encryption)

Given two coprime integers a and n, there exists an integer b such that ab ≡ 1 (mod n). This b is the modular inverse of a. Using Euler’s theorem, RSA generates a public‑private key pair from two large primes.

Encryption: c = m^e mod n. Decryption: m = c^d mod n.

Signature – Prevent Tampering

Hash the message, encrypt the hash with the private key to create a signature, and attach it to the message. The receiver hashes the message, decrypts the signature with the public key, and compares the hashes to verify integrity.

Certificate – Prevent Impersonation

A Certificate Authority (CA) signs a digital certificate containing the public key and identity information. The client trusts the CA’s public key, verifies the certificate, and thus trusts the server’s public key.

These mechanisms (encryption, signature, certificate) are practical applications of zero‑knowledge proof: they prove authenticity without revealing useful secret information.

1.3 Complete HTTPS Handshake Process

1. Client requests the server’s public key and verifies it. 2. Both parties negotiate a symmetric session key. 3. Communication proceeds using symmetric encryption.

The first two steps constitute the handshake. After the handshake, both sides generate a shared symmetric key from random numbers.

Session Recovery

If a session is interrupted, it can be resumed using either a Session ID stored on the server or a Session Ticket (encrypted ticket containing the session key) that the client presents.

2. HTTPS Practice and Applications

2.1 Upgrading from HTTP to HTTPS

Obtain a certificate (usually not free). Certificate levels: Domain Validation, Organization Validation, Extended Validation. Types: Single‑domain, Wildcard, Multi‑domain. Install and configure the certificate on the server, update links to use HTTPS, and set up 301 redirects for HTTP requests.

2.2 Capturing HTTPS with Fiddler

Enable HTTPS decryption in Fiddler, install the generated root certificate, and trust it on iOS (Settings → General → Device Management) and Android (Settings → Security → Trusted Credentials).

2.3 Limitations and Use Cases

HTTPS adds computational overhead and requires certificates, so it is typically used for high‑security sites or critical pages such as registration, login, and payment. With proper optimization, performance impact can be minimal, making HTTPS suitable for virtually all scenarios.

References

RSA Algorithm Principles (Part 1)

RSA Algorithm Principles (Part 2)

Zero‑Knowledge Proof and Its Applications

Identity Verification and Zero‑Knowledge Proof

What Is a Digital Signature?

Overview of SSL/TLS Protocol Operation