Skip to main content

How HTTPS works, Complete flow in an understandable way



There are so many tutorials and explanations on the Internet to show how HTTPS works, but most of them tell half of the story. You may end up with so many questions, like where the certificates fit in? Where is the TCP stuff? How does the encryption works? How the trust works?

So, I made this diagram to fit the pieces of the puzzle together and show you how they all fit in an HTTPS request. Some of the low-level parts I didn't include and also each step in this would be briefed not to confuse anybody and make it short as possible to understand.

Here, the client could be a typical web browser (or even another application whoever can communicate with a website or an API).

Something you have to know before you check the diagram is public, private, and shared keys.
To know this, we have to learn about encryption because we use these keys to encrypt data.

There are two encryption types.

1. Asymmetric encryption aka. public-key encryption
2. Symmetric encryption aka. shared key encryption (sometimes also called private-key encryption too)

Asymmetric encryption 


Asymmetric encryption uses two keys, one is public, the other one is private. The public key, you can share it with anybody, but you will never share the private key. The cool thing about this would be, once you encrypt with either of the keys, you can never decrypt it with the same key. To decrypt it, you have to have the other key.

So somebody encrypts something with his private key and shared it, somebody else can decrypt it with the public key. This allows, somebody, to make sure the authenticity of the encrypted data because in order to decrypt it properly with the public key, it could have been only encrypted by the original sender's private key. So there's no chance somebody tampered the data in the middle.

Symmetric encryption


This is fairly simple as it uses only a single key. Once a key is generated, it has to be shared with two parties. So the same key is used to encryption and decryption.


How HTTPS works

Please note that here we are only talking about a typical scenario where it validates only the server's certificates (One-way SSL). There is another scenario where the server also requires to validate the client's certificate (Two-way SSL), where it will have an extra step to validate the client's certificate from the server-side.

How HTTPS works: Complete flow in an understandable way

How HTTPS works: Complete flow in an understandable way




I tried to simplify this as much as possible and again wanted to have enough information, hope it helps.

You will be able to clearly identify each step if you could use Wireshark and trace an HTTPS request.

By the way, if there are any misinterpretations or anything, please leave a comment.




Comments

Popular posts from this blog

VLC skins

It's been a while from my first blog post, so today I thought to make a blog post about skins in VLC player. I think you all are familiar with VLC player if not, here's the link for the website www.videolan.org/vlc/index.htm l In brief, VLC player is a free and opensource player that can play almost all the types of media formats. Even though it is a such a nice player, it looks kind of old and rusty, like the windows classic look. But you can make it prettier by just adding some new skins to it.  You can download skins for the player from here http://www.videolan.org/vlc/skins.php Then place the downloaded skin file (.vlt file) in the " skin " folder in the installation directory.           eg:- in windows:    C:\Program Files\VideoLAN\VLC\skins           or in linux systems:  ~/.local/share/vlc/skins Then, open the VLC player and go to the preferences. ...

Java, how to create a list with a single element

 I wanted to create a Java List with a single element. Yet, I wanted to add more elements later. So, I was looking for a couple of ways to do this. So far there are multiple elegant ways to create a list with a single element with a one-liner. Not so much for a modifiable list though. Here's what I gathered so far. Followings are a few ways of creating a list with strictly a single entry. Can't add more elements. 1. Collections.singletonList() This returns an immutable list that cannot be modified or add more elements. // An immutable list containing only the specified object. List<String> oneEntryList = Collections. singletonList ( "one" ) ; oneEntryList.add( "two" ) ; // throws UnsupportedOperationException 2.  Arrays.asList() This returns a fixed-size list consisting of the number of elements provided as arguments. The number of elements provided would be an array hence the size is fixed to the length of the array. // Returns a fixed-size list List...

Facebook videos are too loud

Not sure if it is only me, but as of this writing, I find some of the Facebook videos are too loud compared with other websites or players on the machine. Whenever I play a video, I usually turn the volume down. Then whenever there's an ad, it screams in my ears. Same when I play the next video, the former adjusted volume level doesn't stick. This could be a bug in FB, so I even suggested a feature improvement.  As a solution, I found this chrome plugin. Sound and video fixes for Facebook Don't know who developed it, but the dude has fixed one of Facebook's problems, and many thanks to the developer. I might as well help him out as it is an open-source project. No more screaming videos!