What is HTTPS?
- HTTPS is Hypertext Transfer Protocol Secure which is the secure version of the popular HTTP.
Differences between HTTP and HTTPS
There are a few differences
- The data transmission in HTTP is in plain text, while HTTPS provides encrypted data transmission between the client and server.
- In HTTP, since the data being transmitted is in plain text, if someone manages to intercept the packets, they will be able to read them. In contrast, in HTTPS, since the data is encrypted, even if someone manages to intercept it, it will be encrypted and would require a key to decrypt it.
- HTTPS adds extra overhead of encryption and decryption, which can be resource-intensive and slower.
Flow
- The client and browser establish a TCP connection using 3-way handshaking.
- The client sends a “hello” message that contains the necessary encryption algorithms (cipher suites) and the TLS version that it supports. The server responds with a “hello” message indicating that it supports the encryption algorithms and TLS version. The server then sends an SSL certificate to the client that contains the host name, public key expiry dates, etc. The client validates the certificate.
- The client generates a session key and encrypts it with the public key from the certificate. The server decrypts the encrypted session key with the private key.
- Now that the server and client hold the same session key, they can use it to encrypt and decrypt data during transmission. The reason for switching to symmetric encryption is that asymmetric encryption adds a lot of overhead if the client and server session runs longer.
Flow Diagram
