HTTPS (Hyper Text Transfer Protocol
Secure) can be simply explained as HTTP + SSL.
SSL (Secure Socket Layer) also known as TSL
(Transport Layer Security) is a cryptographic protocol.
HTTPS in essence is HTTP using SSL for message encryption and decryption.
What is SSL/TSL?
SSL (Secure Socket Layer) also known as TSL(Transport Layer Security) is a protocol that provides secure communication over network. It uses data encryption to ensure message privacy.
SSL is created in 1994 by Netscape in collaboration Bank Of America, MasterCard, MCI and Silicon Graphics.
SSL provides following features:
1. Data confidentiality using message encryption
2. Data Integrity
3. Authentication
How message privacy is compromised without HTTP?
A typical computer network looks like the one shown in following image-
From the above image, one can say that network traffic from Computer A and Computer B can be traced from Router, Modem, somewhere in network path and also similar components from other side (i.e. server side) of network. Similar is the case with Computer C.
Someone who has access to router or switch can see connected computers's HTTP communicates. This is a serious issue especially if communication contains confidential information.
How to provide secure communication?
No one can stop a person who has access to network components like router or switches from trapping communication data. The only way to provide confidentiality encrypting communication. Encrypt messages in such a way so that it makes very very difficult - I would say next to impossible for someone to get the original information even if whole communication session is been recorded.
Data confidentiality using message encryption
Encryption is a way to convert plain readable text into an unrecognizable format.
For example a word 'INDIA' can be encrypted to '7378687365'. Here each latter is replaced with associated ASCII value.
The example above is very basic one and easy to break, but the algorithm used in SSL is very robust and is not easy to break even with brute force method by available most powerful computing machine.
Symmetric encryption and Asymmetric encryption
Symmetric encryption
Above mentioned example under section Data confidentiality using message encryption is an example of Symmetric encryption where same key is used for encryption as well as decryption.
Asymmetric encryption
In asymmetric encryption instead of one key, two keys are used. One for encryption and other for decryption. I am not going into detail of it but just keep in mind that the key which is used for encryption can not be used for decryption. Such encrypted data can only be decrypt using another associated key.
Encrypted communication - which encryption method to use?
1. Symmetric encryption is simple and robust. But then the issue is secrecy of key. This method is worthy only if client and server know the key and only client and server and no one else should know it.
2. Asymmetric encryption can solve issue of key secrecy. The idea is simple. Server should distribute encryption key (also known as public key) to every client and keep decryption key (also known as private key) with it.
But wait - here encryption is one way, i.e. client to server communication is encrypted. What about server to client communication? You would say server should also encrypt communication using public key it has, but then client don't have private key to decrypt data. How to solve the issue? Answer is below.
Combine both the algorithm with making client capable to generating symmetric key on fly with some random data. It will work as follow:
(a). Server should distribute public key to requesting client.
(b). Requesting client should generate symmetric key which only it knows.
(c). Client should encrypt symmetric key it has with server's public key and handover it to server.
(d). Once server get client generated symmetric key, both the party should use symmetric key for further communication.
This is what happen during SSL communication. Try to find any use case. You would not find any way to decipher client server communication.
