Understanding HTTPS: How SSL/TLS Secures Web Communication

What is HTTPS

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is the secure version of HTTP, adding an SSL/TLS layer to provide encryption, authentication and data integrity.

Functions of HTTPS

Content encryption – creates a secure channel for data transmission.

Identity authentication – verifies the authenticity of the website.

Data integrity – prevents tampering or impersonation.

Disadvantages of HTTPS

Encryption and decryption add overhead, making HTTPS slower than HTTP.

Browsers do not store HTTPS responses in local cache by default, though caching can be enabled with appropriate HTTP headers.

Differences between HTTP and HTTPS

HTTPS requires a certificate issued by a CA.

HTTP transmits data in clear text; HTTPS uses SSL/TLS encryption.

HTTP uses port 80; HTTPS uses port 443.

HTTPS combines SSL/TLS with HTTP to provide authentication and encryption.

HTTP default port 80, HTTPS default port 443.

Encryption concepts

Symmetric encryption

Symmetric (private‑key) encryption uses the same key for encryption and decryption. Common algorithms include DES, AES, RC4, IDEA.

Asymmetric encryption

Asymmetric (public‑key) encryption uses a key pair: a public key for encryption and a private key for decryption. It enables secure key exchange and digital signatures.

Asymmetric encryption cannot encrypt data longer than the key length (e.g., a 2048‑bit key limits plaintext to 256 bytes).

Hash (digest) algorithm

A hash function produces a fixed‑length digital fingerprint of the plaintext; HTTPS uses this to ensure data integrity and prevent tampering.

Digital signature

Digital signatures combine asymmetric encryption and hashing: the sender hashes the message, encrypts the digest with their private key, and the receiver verifies it using the sender’s public key.

plaintext → hash → digest → private‑key encryption → digital signature

Signatures confirm the sender’s identity and the message’s integrity.

Digital certificates

Why certificates are needed

Certificates bind a public key to a trusted identity, allowing a client to verify that the key truly belongs to the intended server.

Certificate issuance process

The client generates a key pair and sends the public key plus identity information to a Certificate Authority (CA). After verification, the CA signs the certificate with its private key and returns it to the client.

Certificate contents

Issuer (CA) name

Certificate’s digital signature

Subject’s public key

Hash algorithm used for the signature

Certificate validation

If the issuing CA is unknown, the certificate is considered unsafe.

If the CA is trusted, the browser uses the CA’s public key to verify the certificate’s signature.

For a tampered certificate, the computed hash will not match the decrypted signature.

Certificates can be revoked before expiration; browsers check revocation status via OCSP.

SSL and TLS

SSL (Secure Socket Layer)

SSL, originally developed by Netscape, provides encryption, authentication and data integrity. It consists of the SSL Record Protocol and the SSL Handshake Protocol.

TLS (Transport Layer Security)

TLS is the successor to SSL 3.0, defined by the IETF. It also has a Record Protocol and a Handshake Protocol, offering stronger security.

Advantages of TLS over SSL

Uses HMAC for message authentication, which is more secure than SSL’s MAC.

Improved pseudo‑random function (PRF) with dual hash algorithms.

Enhanced finished‑message verification.

Consistent certificate handling.

More specific alert messages.

SSL/TLS handshake process

Client Hello

The client sends supported protocol versions, cipher suites, compression methods and a random number.

Server Hello

The server selects the protocol version and cipher suite, sends its certificate and another random number.

Client Key Exchange

The client verifies the server certificate, generates a pre‑master secret, encrypts it with the server’s public key, and sends it along with a ChangeCipherSpec message.

Server Finished

The server decrypts the pre‑master secret, derives the session keys, sends its own ChangeCipherSpec and a Finished message encrypted with the new keys.

Secure communication

After the handshake, both sides use the negotiated symmetric keys to encrypt application data.

During the handshake, asymmetric encryption is used; during data transfer, symmetric encryption provides efficiency.

Session resumption

Two methods allow a client to reuse a previous session: session ID and session ticket.

Session ID

The client presents a previously assigned session ID; if the server still has the session, it can resume without a full handshake.

Session ID is widely supported but tied to a single server.

Session ticket

The server encrypts session parameters into a ticket and sends it to the client; the client can present the ticket to resume the session without server‑side state.

Supported by modern browsers such as Chrome and Firefox.

Summary

HTTPS inserts SSL/TLS between TCP and HTTP, using symmetric encryption, asymmetric encryption, and digital certificates to protect data confidentiality, integrity and authenticity during web communications.