Understanding HTTPS: Why Encryption Matters and How It Works

Q1: What is HTTPS?

HTTPS is secure HTTP. It encrypts the normally plaintext HTTP traffic to ensure safe transmission, and the trailing “S” stands for SSL/TLS, which sits between HTTP and the TCP/IP layer.

Q2: What does “secure transmission” mean?

Secure transmission has three aspects: (1) the client and server communicate directly, (2) the data is unreadable to third parties, and (3) the client and server can detect any tampering. The original HTTP protocol satisfies none of these requirements.

Q3: Isn’t meeting all these requirements cumbersome?

No, the third requirement can be ignored because encryption inherently prevents third‑party interference and forgery; a well‑designed encryption mechanism ensures that only the legitimate server can decrypt the data.

Q4: How is the information encrypted?

Symmetric encryption is used for fast, reversible transformation of data (e.g., shifting each letter by one). The HTTPS handshake adds two steps to exchange a symmetric key.

Q5: How is the symmetric key transmitted?

Sending the symmetric key in plaintext is insecure, so asymmetric encryption is introduced. The server’s private key encrypts data that only the server can decrypt, while the public key can be freely distributed.

Q6: How is the public key transmitted?

Servers obtain a certificate from a trusted Certificate Authority (CA). The certificate contains the server’s public key, which is signed by the CA’s private key. Clients already trust the CA’s public key built into operating systems or browsers.

Q7: How can we verify a certificate hasn’t been tampered with?

Certificates are accompanied by a hash value. Because hash functions produce a unique digest for the original data, any alteration will cause a hash mismatch, indicating tampering.

Q8: Does this prevent a third party from impersonating the server?

Yes, because only the legitimate server possesses the private key needed to produce a valid signature that matches the trusted CA’s public key; without it, an attacker cannot forge a valid certificate.

Q9: Does the HTTPS handshake affect performance?

The additional TLS handshake adds some latency, mainly due to SSL processing and certificate verification, but the overhead is acceptable. Subsequent connections can reuse session parameters, and HTTP/2 further mitigates performance costs.

Conclusion

The nine questions above give newcomers a solid foundation for understanding HTTPS, though deeper topics such as platform‑specific implementations still require further study.

Source: 简书 (www.jianshu.com/p/072a657337ae)