Why HTTPS Matters: 9 Key Questions Answered

Q1: What is HTTPS?

HTTPS is secure HTTP. It encrypts the normally plaintext HTTP traffic to ensure safe transmission, and the final "S" stands for SSL/TLS, which sits between HTTP and the TCP/IP layer.

Q2: What does "secure transmission" mean?

Secure transmission has three aspects:

The client and server communicate directly without eavesdropping.

Only the intended parties can understand the data; a third party who intercepts it cannot decipher its meaning.

The client and server must be able to detect if the data has been altered.

Unfortunately, the original HTTP protocol satisfies none of these requirements.

Q3: Isn't it exhausting to meet all these requirements?

No, the third requirement can be ignored for now because it is actually covered by the first requirement. Proper encryption mechanisms prevent third‑party interference and forgery, and once the encryption principle is understood, we can verify that "no third party can impersonate the server".

Q4: How is the information encrypted?

Symmetric encryption is used. It is a reversible transformation of the original data, e.g., shifting each letter by one ("Hello" becomes "Ifmmp" with a key of 1). The server and client share this symmetric key.

Introducing symmetric encryption adds two steps to the HTTPS handshake to exchange the symmetric key.

Q5: How is the symmetric key transmitted?

Transmitting the symmetric key in plaintext is unsafe because an eavesdropper could read all subsequent communication. Therefore, asymmetric encryption is employed: the client generates the symmetric key, encrypts it with the server’s public key, and sends it.

Q5 (follow‑up): How is the public key transmitted?

Each server obtains a certificate from a trusted Certificate Authority (CA). The certificate contains the server’s public key encrypted with the CA’s private key. Clients use the CA’s public key (pre‑installed in operating systems or browsers) to verify and decrypt the server’s public key.

Q7: How can we know the certificate hasn’t been tampered with?

The certificate’s hash value is sent together with the certificate. Because a third party cannot modify the data without breaking the hash, any alteration is detected during verification.

Q8: Does this prevent a third party from impersonating the server?

Yes. The server’s signed certificate cannot be forged without the CA’s private key, and the client validates the certificate using the trusted CA public key. If an attacker tries a man‑in‑the‑middle attack, they would need a valid certificate signed by a trusted CA, which is highly unlikely.

Q9: Does the HTTPS handshake affect performance?

HTTPS adds some latency due to the extra TLS handshake and certificate verification, but the cost is acceptable. Symmetric encryption/decryption is fast, and subsequent connections can resume previous sessions, reducing overhead. Moreover, HTTPS also negotiates HTTP/2 compatibility, which can improve overall performance.

Conclusion

The nine questions above provide a solid foundation for newcomers to understand HTTPS. Further exploration is needed for platform‑specific details, such as iOS implementations.

This article originates from JianShu. Link: www.jianshu.com/p/072a657337ae