[How HTTPS works Part 1 — Building Blocks] HTTPS 的工作方式第 1 部分-基本構造塊

astaxie發表於2020-02-16

Introduction

Have you ever wondered what happens when you type any URL in the browser? Why few websites are on HTTPS while others on HTTP? When you purchase anything online using your credit card, how does a website ensure that your sensitive information is not leaked? Same applies to the case when you enter login Id and password on any social media website.

In this article, I’ll be elaborating basic working of HTTP, its disadvantages and the basic building blocks of HTTPS. In the next article, I’ll be explaining the internals of https, SSL handshake & clear confusion between SSL, TLS & HTTPs.

Working of HTTP

When you type any URL in the browser, the browser acts like a client & the website behaves like a server. The client uses HTTP protocol and fetches information from the server. The server returns an HTML page which the browser then renders and displays it to the user. Following is an overview of the process:-

To get more clarity, you can use the curl command to observe what request the client sends and how the server responds. Curl is a command-line utility and works similar to a browser (except rendering the HTML)

Let’s run the command — curl -X GET ‘https://airindia.com' -v

You will see the following output:-

As you can see, the IP Address of the website was first resolved and then an HTTP request was sent by the client. Following is the HTTP request sent:-

> GET / HTTP/1.1
> Host: airindia.com
> User-Agent: curl/7.58.0
> Accept: */*

Disadvantages of HTTP

Message Integrity: When you are sending a message over HTTP, anyone on the network can see what message is being sent. Further, anyone can intercept the message, modify it and send it to the server. For eg:- If you are chatting with your friend & sending a message “Hey, you are smart”, someone can modify the message and send “Hey, you are an idiot”.
Confidentiality: If you are shopping online (HTTP website) and paying using credit card details, a hacker on the network can observe all the sensitive details sent to the website. The hacker can use your sensitive information and steal your money.
Authenticity: A browser must validate the identity of any website & trust it. For eg:- On foreign trips, Airport officials ask you for your passport to verify that it’s you and not someone else. Here, passport acts like an identity. To trust a website it must present an identity to the client. In HTTP communication, this is not possible. On entering URL of an HTTP website in the browser, you will see the following warning in the address bar:-

HTTPs & its building blocks

HTTPs is secure HTTP. HTTPs guarantees that communication that takes place over HTTP is encrypted. It overcomes the disadvantages of the HTTP mentioned above. To understand HTTPs, we will first need to understand how encryption works.

Encryption algorithms are of two types:

Symmetric key encryption: In this scheme, only one key is used to encrypt and decrypt information. The sender and receiver both must have access to the key to process the information.
Asymmetric Key encryption: In this algorithm, a pair of keys is generated. Both the keys are mathematically linked. One of the keys is called the private key and the other key is the public key. Information can be encrypted using the public key and decrypted through the private key. The receiver must share its public key with the sender. The sender then encrypts the message using the public key & receiver uses the private key to decrypt it. To ensure that no one on the network modifies the message, HTTPs uses Message Authentication Code (MAC).
Message Authentication Code: An extra piece of information known as MAC is sent along with the message to ensure message authentication. The sender uses Symmetric-key and the message to generate the MAC. Once the receiver receives the message, it will use the same symmetric-key & extracted message to generate a MAC. Further, the receiver will compare the MAC sent by the sender and the one it generated. If there is a mismatch, then it means the message got tampered mid-way. Following diagram illustrates the process of generating & verifying MAC.

As discussed before, the browser also needs to validate the identity of the website. In the internet world, identification means that the site client is visiting is indeed the one it thinks it is. HTTPs uses SSL certificates for identification. These SSL certificates are issued by Certificate Authorities or CAs and have validity. Let’s see who is a Certificate Authority & how it works.

Certificate Authority: These are third party organizations who issue certificates to different websites. They confirm the identity of the certificate owner & provide proof that a certificate is valid. All https websites have certificates. You can click the lock icon in the address bar to view the CA who has issued the certificate. Let’s see for medium.com who is the Certificate Authority.

It can be seen from above that connection to medium.com is secure. DigiCert is the certificate authority who has provided certificates to this website. You can find information about medium.com and also the Issuer (DigiCert) in the above image.