Skip to main content

How HTTPS works, Complete flow in an understandable way



There are so many tutorials and explanations on the Internet to show how HTTPS works, but most of them tell half of the story. You may end up with so many questions, like where the certificates fit in? Where is the TCP stuff? How does the encryption works? How the trust works?

So, I made this diagram to fit the pieces of the puzzle together and show you how they all fit in an HTTPS request. Some of the low-level parts I didn't include and also each step in this would be briefed not to confuse anybody and make it short as possible to understand.

Here, the client could be a typical web browser (or even another application whoever can communicate with a website or an API).

Something you have to know before you check the diagram is public, private, and shared keys.
To know this, we have to learn about encryption because we use these keys to encrypt data.

There are two encryption types.

1. Asymmetric encryption aka. public-key encryption
2. Symmetric encryption aka. shared key encryption (sometimes also called private-key encryption too)

Asymmetric encryption 


Asymmetric encryption uses two keys, one is public, the other one is private. The public key, you can share it with anybody, but you will never share the private key. The cool thing about this would be, once you encrypt with either of the keys, you can never decrypt it with the same key. To decrypt it, you have to have the other key.

So somebody encrypts something with his private key and shared it, somebody else can decrypt it with the public key. This allows, somebody, to make sure the authenticity of the encrypted data because in order to decrypt it properly with the public key, it could have been only encrypted by the original sender's private key. So there's no chance somebody tampered the data in the middle.

Symmetric encryption


This is fairly simple as it uses only a single key. Once a key is generated, it has to be shared with two parties. So the same key is used to encryption and decryption.


How HTTPS works

Please note that here we are only talking about a typical scenario where it validates only the server's certificates (One-way SSL). There is another scenario where the server also requires to validate the client's certificate (Two-way SSL), where it will have an extra step to validate the client's certificate from the server-side.

How HTTPS works: Complete flow in an understandable way

How HTTPS works: Complete flow in an understandable way




I tried to simplify this as much as possible and again wanted to have enough information, hope it helps.

You will be able to clearly identify each step if you could use Wireshark and trace an HTTPS request.

By the way, if there are any misinterpretations or anything, please leave a comment.




Comments

Popular posts from this blog

Install Docker on Windows 11 with WSL Ubuntu 22.04

This is to install Docker within Ubuntu WSL without using the Windows Docker application. Follow the below steps. Install Ubuntu 22.04 WSL 1. Enable Windows Subsystem for Linux and Virtual Machine platform Go to Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off 2. Switch to WSL 2 Open Powershell and type in the below command. wsl --set-default-version 2 If you don't have WSL 2, download the latest WSL 2 package and install it.  3. Install Ubuntu Open Microsoft Store and search for Ubuntu. Select the version you intend to install. I'd use the latest LTS version Ubuntu 22.04. Click on the Get button. It will take a couple of minutes to download and install. 4. Open up the installed Ubuntu version that was installed. If you get an error like the below image, make sure to install the WSL2 Kernel update .  If it's an older Ubuntu version the error message would be something like the image below. Error: WSL 2 requires an update to its ...

How to fix SSLHandshakeException PKIX path building failed in Java

TL ; DR 1. Extract the public certificate of the website/API that you are trying to connect from your Java application. Steps are mentioned in this post 2. Use the Java keytool to install the extracted certificate into the "cacerts" file (Trust store) keytool -import -trustcacerts -alias <domain name> -file <public certificate>.cert -keystore /path_to_java_home/jre/lib/security/cacerts -storepass changeit 3. Restart your Java application Exception A typical exception stack trace would look like below. javax.net.ssl. SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshake...

Automatically open Chrome developer tools in a new tab

Sometimes we need to check the console or the network transactions of a link that opens up in a new tab. By default, the Chrome developer tools are not opening in a new tab. So, by the time when we hit F12 and open the dev tools, part of the information we needed could be already gone.  There's a setting in dev tools where you can keep the dev tools open automatically in a new tab. To enable that, hit F12 and open up the dev tools. Click on the settings icon in the top right corner. In the Preferences section, scroll down to the bottom. You'll be able to find the option to Auto-open DevTools for popups. Select the checkbox and we're good to go!