Why HTTPS Exists: From HTTP’s Flaws to TLS Encryption Explained

Motivation for HTTPS

HTTP transmits data in clear text, provides no authentication of the communicating parties, and offers no integrity protection. Consequently, eavesdropping, tampering, and impersonation are possible. HTTPS was created to address these three deficiencies.

Definition of HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is HTTP layered with SSL/TLS. The underlying request/response syntax, methods, headers, and status codes remain unchanged; the transport is secured by the TLS (or SSL) protocol.

Security Guarantees

Encryption

– Confidentiality of the exchanged data. Data integrity – Any modification of the transmitted data is detected. Authentication – The server’s identity is verified by a digital certificate, preventing man‑in‑the‑middle attacks.

SSL/TLS Overview

Protocol Evolution

TLS is the modern successor to SSL. The most widely deployed version today is TLS 1.2; TLS 1.3 is emerging. TLS operates above the transport layer (TCP) and below the application layer (HTTP).

Handshake Overview

During a TLS handshake the client and server:

Negotiate a TLS version and a cipher suite.

Perform a key‑exchange (e.g., ECDHE, DHE) using asymmetric cryptography.

Authenticate the server (and optionally the client) with an X.509 certificate signed by a Certificate Authority (CA).

Derive a symmetric session key.

Switch to symmetric encryption for the bulk of the data transfer.

Example cipher‑suite string: ECDHE-ECDSA-AES256-GCM-SHA384 The format is key‑exchange – signature – symmetric encryption – hash , optionally followed by the block‑cipher mode.

Certificates and Keys

An X.509 certificate binds a public key to an entity (person or organization). Each certificate is paired with a private key kept secret on the server. The public key encrypts data; the private key decrypts it. CAs sign certificates to create a trust chain.

Hybrid Encryption in TLS

TLS combines asymmetric and symmetric cryptography:

Asymmetric algorithms (RSA, ECDHE, DHE) securely exchange a random session key.

Symmetric algorithms (AES‑GCM, ChaCha20‑Poly1305) encrypt the actual application data because they are much faster.

Cryptographic Primitives

Symmetric Encryption

Common algorithms: DES (historical), 3DES (deprecated), AES‑128/192/256, ChaCha20. Modern deployments favor AES‑GCM or ChaCha20‑Poly1305, which provide authenticated encryption (AEAD).

Block Cipher Modes

Secure AEAD modes include GCM, CCM, and Poly1305. Legacy modes such as ECB, CBC, CFB, and OFB are discouraged due to known vulnerabilities.

Asymmetric Encryption

Key‑pair algorithms include RSA (based on integer factorisation), Diffie‑Hellman (DH/DHE), Elliptic Curve Cryptography (ECC/ECDHE/ECDSA). RSA is computationally intensive; ECC offers comparable security with smaller keys.

Digest (Hash) Algorithms

Hashes provide integrity verification:

MD5 – 128‑bit, insecure and deprecated.

SHA‑1 – 160‑bit, also deprecated.

SHA‑2 family (SHA‑224, SHA‑256, SHA‑384, SHA‑512) – recommended.

HMAC – combines a hash function (e.g., SHA‑256) with a secret key to produce a tamper‑evident tag.

Authentication and Digital Signatures

Certificates are issued after a Certificate Signing Request (CSR) containing the public key and identifying information is validated by a CA. The CA signs the certificate, establishing a trusted binding between the public key and the entity.

Three common validation levels exist:

DV (Domain Validation) – lowest trust, verifies domain ownership.

OV (Organization Validation) – verifies organization details.

EV (Extended Validation) – highest trust, includes legal and audit checks; browsers display the organization name.

Summary

HTTPS secures HTTP by adding an SSL/TLS layer that provides confidentiality, integrity, and authentication. TLS achieves this through a hybrid of asymmetric key exchange, symmetric bulk encryption, hash‑based integrity checks, and a PKI trust model involving CAs and digitally signed X.509 certificates.