HTTP, HTTPS

HTTP, HTTPS

HyperText Transfer Protocol, HyperText Transfer Protocol Secure
HTTP and HTTPS are both used to communicate between two computers. It used the client-server model. HTTPS, as you might have guessed, is the secure version.

HTTP and HTTPS are at the application level of the Internet protocol suit. Usually transported over TCP, Transmission Control Protocol, thought it can use others. HTTP/HTTPS versions 1.1 and 2 used TCP. HTTP/HTTPS/ version 3 uses QUIC (no acronym).

For any sensitive data, only HTTPS should be used. Google now ranks sites without it lower, so it is important for SEO as well.

TLS

The secure version of HTTP uses TLS Transport Level Security. TLS will encrypt the HTTPS data before sending to TCP. TLS uses asymmetric public/private key encryption to exchange a symmetric encryption key which will be used after to encrypt all traffic. Symmetric encryption is much faster, so asymmetric is only used for the key exchange.

TLS is often used with HTTP, FTP, SMTP, and other transport layer protocols.

The three way TCP handshake of SYN, ACK/SYN, ACK, must be completed before TLS is used. After it is complete, the client sends a request to the server telling it what TLS protocol version it prefers to use, and encryption techniques it wants. Still using TCP, the key exchange is done.

Key Exchange

After getting a list of the security protocols the client wants to use, the server responds with a conformation if it supports those, and a digital certificate with it’s public key. The digital certificate can be checked against a database, to make sure it is a trusted provider and not fake one. The public key can be used by the client to encrypt data, and only the person with the private key (the server) can unlock it. So if the certificate is valid, the client will next make a “pre-master” key. It will calculate a key based off that for itself, and send the pre-master key to the server. The server also calculates a key from the pre-master key, and now both have the same symmetric encryption key and can send the latest gossip about the neighbor’s to each other securely.

The key exchange can use RSA, DE, PSK, SRP, and more for the public/private encryption.

The cipher sent in the key exchange for the symmetric encryption can vary depending on the version of TLS and what the client requests. AES GCM, AES CCM, AES CBS, Camellia GCM, ARIA GCM, and ChaCha20-Poly1305 are some of the ones commonly implemented

Communication

After the cipher is on both the client and server, HTTPS is encrypted using TLS before being sent over TCP.

Weak point

Here the weak point is the digital certificate issuing authority. If the certificate authority is compromised, a falsified certificate could be added to the database claiming it was the server. Or, more unlikely, the private key stolen from them and used to sign fake certificates.