What is HTTPS and how SSL certificates make it secure?

When a communication happens on the internet we have a server and a client(user). In a normal HTTP communication the client makes a GET request to the server and the server returns a RESPONSE to the client.

This is simple and easy but not very secure as a middleman (hacker) can easily intercept this communication. This is called as Man in the Middle attack. So whatever you are communicating with the server can be seen by the middle man. To prevent this we need to make the communication secure. The simplest solution that comes to mind make it secure is encrypting the communication.

There are two types of encryption: Symmetric and Asymmetric. When we encrypt some data using a key and use the same key to decrypt the data, this is called as Symmetric encryption. Whereas, we use a public key to encrypt some data and use its private key to decrypt the data in Asymmetric encryption. Asymmetric encryption is more secure but has computational overhead and is slow. Hence we will have to use symmetric encryption.

Let’s say we encrypt data using a key and send it to the server. The server cant decrypt this data as it doesn’t have the key that was used to encrypt the data.

So we will need to send the key to the server before sending the data so that the server can decrypt the data. But if we directly send the key to the server the hacker can also keep a copy of the key with them and decrypt whatever the data is transferred in future. To share the key from client to server without the hacker copying it, we will first use asymmetric encryption. Let’s see how.

At first, the server will have a public and private key. The server sends the public key to the client initially(The hacker can keep a copy of this as well). The client then generates the key that will be used to encrypt the communication data, and encrypts this key using the public key, and sends it to the server. This key can be decrypted only by the server as only it has the private key. Now both, client and server have the encryption key with them and can use symmetric encryption. The hacker will only have an encrypted key shared by the client and the public key shared by the server.

This is how encryption will be used to make the communication secure. But there is a way how hackers can still intercept the communication. Let’s understand how.

A hacker can act as a mediator between the client and server and get the public key shared by the server and keep it with them and instead share the hacker’s own public key with the client and send another encrypted key with the server. The hacker will act as a proxy and the client will think of the hacker as the server as it received the public key from the hacker and the server will think of the hacker as the client as it received the encrypted key from the hacker. This all happens due to the client thinking of the hackers public key as the servers public key.

This is where SSL certificates and Certificate Authorities(CA) come in to play. The server goes to certificate authorities like Let’s Encrypt with the server’s public key. The CA asks the domain for which the server wants the certificate and creates a certificate with the domain and other information and signs the certificate with the servers public key + CA’s public key. The server then sends the SSL certificate and public key to the client. The client then goes to the CA gets the CA’s public key and encrypts, the key it received and the CA’s public key. If it matches the signature the client is sure that it is the servers key. The hacker may send its public key instead of the servers public key but it cannot have a valid certificate with its key in the signature. Now the client has the server’s public key and the private key will only be with the server. Now the client can send encrypted key and only the server can decrypt it. Symmetric encryption can be established now with this new encryption key.


Huge thanks to Piyush Garg for his detailed explanation on this topic. Link to his video : https://youtu.be/0yw-z6f7Mb4?si=iStkcRR2zpXFJsHR

0
Subscribe to my newsletter

Read articles from Viraj Vijaykumar Dalave directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Viraj Vijaykumar Dalave
Viraj Vijaykumar Dalave

I am a student learning DevOps and Cloud Computing. My blogs and articles are primarily a platform for me to post whatever I am learning. My passion to explain things in simple words also makes me use this platform as a way to teach fellow learners if possible. I would love to receive feedback from most people coming across my articles.