eolas/neuron/5b69d72b-62b5-4e7c-a093-2115c3fe6538/HTTPS.md

---
tags: [world-wide-web, internet, encryption, server-management]
created: Friday, December 14, 2024
---

# HTTPS

The problem with standard, unencypted HTTP requests is that the data can be
captured in transit and be observed or modified by malicious actors.

HTTPS is the solution. It encrypts the entirety of the HTTP request and response
(URL, headers, body).

It utilises two types of encryption to send messages securely:

- symmetric encryption
  - a single shared key between client and server to encrypt the messages sent
    between them
- asymmetric encryption
  - two keys are used: a [public key](bbdcb54f_public_key_cryptography.md) to
    encrypt the data and a private key to decrypt it. The public key can be
    shared freely so anyone can encrypt and send data to a peer but only the
    peer can receive and decrypt it

The encryption protocol used is TLS - the **Transport Layer Security Protocol**.
Previously SSL (Secure Sockets Layer) was used but has been deprecated over
security concerns.

## How communication over HTTPs works

- An initial handshake is shared between client and server, agreeing that
  communication will be encrypted. This is public. "Client hello" and "Server
  hello". Some random numbers are exchanged at this point
- The server sends a digital [certificate](Certificate_authorities.md') key
  The client checks that the certificate is valid
- If valid, the client encrypts a string of bytes using the public key and sends
  it to the server. This is called the "premaster secret"
- This is decrypted by the server
- The premaster secret, along with the random bytes from the handshake is then
  used to compute a shared secret key (symmetric) which is used to encrypt all
  subsequent messages for the duration of the session