Understanding HTTPS: Principles, Security Mechanisms, and Common Misconceptions

HTTPS Overview

With the decreasing cost of HTTPS deployment, most websites now use the protocol. While HTTPS is known to be more secure than HTTP, many still wonder why it is considered safe, how its underlying mechanisms operate, and whether using HTTPS guarantees complete security.

Implementation Principles

HTTPS encrypts data during transmission using symmetric encryption, while asymmetric encryption is only used during the certificate verification stage.

The overall process consists of two phases: certificate verification and data transmission.

1. Certificate Verification Phase

Browser initiates an HTTPS request.

Server returns its SSL/TLS certificate.

Client validates the certificate; if invalid, a warning is shown.

2. Data Transmission Phase

After successful verification, the client generates a random number.

The random number is encrypted with the server’s public key and sent to the server.

The server decrypts the random number using its private key.

Both sides derive a symmetric encryption algorithm from the random number and encrypt subsequent traffic.

Why Use Symmetric Encryption for Data Transfer?

Asymmetric encryption is computationally expensive and unsuitable for the high‑frequency interactions typical of HTTP traffic; symmetric encryption is much faster. Additionally, only the server holds the private key, making asymmetric encryption a one‑way operation, so symmetric encryption is used for the bulk data.

Why Are CA‑Issued Certificates Needed?

Without a trusted Certificate Authority (CA), anyone could create a certificate, enabling classic man‑in‑the‑middle (MITM) attacks. The article illustrates a detailed MITM scenario where an attacker intercepts traffic, presents a forged certificate, and decrypts the communication.

How Browsers Ensure Certificate Legitimacy

1. Certificate Contents

Issuing authority information

Public key

Organization details

Domain name

Validity period

Fingerprint

2. Basis of Legitimacy

Only accredited CAs can issue certificates; their trust is established through a web of trust and credit backing.

3. Browser Validation Steps

Check domain name and validity period.

Verify the certificate chain against trusted root CAs stored locally.

Confirm the certificate has not been tampered with (often via CA server checks).

Check revocation status using CRL or OCSP.

If all checks pass, the browser treats the certificate as valid.

Can HTTPS Be Captured?

HTTPS encrypts traffic, so typical packet‑capture tools see only encrypted data. However, if a user explicitly trusts a proxy’s certificate, a MITM proxy can decrypt and re‑encrypt traffic, effectively “capturing” the communication. HTTPS protects against passive eavesdropping but not against authorized interception.

Summary (Q&A)

Q: Why is HTTPS secure? A: It provides encrypted transport, preventing passive listening and ensuring server authenticity.

Q: How does the HTTPS transmission process work? A: The client requests HTTPS, receives the server’s certificate, validates it, generates a random number encrypted with the server’s public key, and then both sides use symmetric encryption derived from that random number for subsequent data exchange.

Q: Why are certificates necessary? A: They prevent MITM attacks and serve as digital identity for websites.

Q: Can HTTPS be captured? A: Yes, if the user trusts a malicious proxy; HTTPS only blocks untrusted, passive interception.