- read

High Level Overview of HTTPS, SSL/TLS, SSL Certificates

Lyght 24

What is HTTP?

Before we talk about SSL/TLS and certificates, we must first understand what HTTP is and what role it plays when we are surfing the Internet. HTTP is short for HyperText Transport Protocol. Simply put, this protocol is the most basic way for browsers and websites to communicate on the Internet. Its basic in the sense that it only looks to establish a connection and nothing more. As a result, you as a user can surf the web as much as you like, for as long as there is a connection. However there’s something to take into account here, and that’s the lack of security. As previously stated, HTTP just establishes and maintains communication, it does nothing else. This probably won’t bother you if you don’t worry about the possibility of your information being passed in clear text; information such as usernames, passwords, address, credit card information, etc. The lack of security also wouldn’t matter if we lived in a utopia where things like crime didn’t exist. However, this is not the world we live in. There are malicious Internet users out there who eavesdrop on communications hoping to find sensitive data they can utilize for their own evil intent. So let’s imagine you’re browsing to yourbankofchoice.com, using a HTTP (i.e. http://www.yourbankofchoice.com) connection. You won’t see it, but on the back end a series of messages are being sent back and forth between your browser and the website to establish a connection for communication. All of which is taking place prior to you even seeing the page load.

Now let’s say your connection is established and you’re communicating back and forth with the bank’s website via your browser, all the while unbeknownst to you, a malicious third party is eavesdropping in on the communication. They’re opening up and reading these messages as they travel between your browser and bank’s website. The malicious user is able to read all the information in clear text, whether sensitive or not, because there is no level of security during the establishment of the communication. This is what it means to only use HTTP. Of course, no one likes to be eavesdropped on. In real life, if I wanted to have a private conversation with someone and let’s say we were around other people, I’d try to add a layer of protection around my conversation with them. This would come in the form of either me taking the other person to a different room and converse there, or speaking in such a manner that would be difficult for anyone eavesdropping to understand what the conversation is about. This level of security is what’s needed in addition to HTTP.

HTTPS and How It Differs from HTTP

So if HTTP means HyperText Transport Protocol, then HTTPS means HyperText Transport Protocol Secure. What is the level of security you may ask? Well let’s go back to the understanding that HTTP establishes a basic, insecure communication between browser and website. What we want to do instead is first establish a secure connection before we even begin to communicate with the site. To understand what I mean, let’s go back to the real life scenario. If I want to have a conversation with someone where I was sharing sensitive information, before I even started talking to them, I would first set up an environment to have the conversation. That means I would probably pull the person aside, go to another location, etc. What I’m doing, here is creating a level of security in order to communicate. HTTPS does the same thing. It first establishes a secure connection to then pass data through. This is done via SSL/TLS protocols.

HTTPS = HTTP + SSL/TLS

HTTP is the connection, SSL/TLS is the added level of security onto that connection. Therefore, HTTP works in tandem with SSL (Secure Socket Layer) or TLS (Transport Layer Security) protocols to establish secure communication. HTTPS is nothing more than HTTP combined with SSL/TLS (HTTP + SSL/TLS = HTTPS) in order to provide users with a more secure way of communicating with websites. One way browsers and websites establish secure communications via SSL/TLS protocols is through SSL Certificates. [Quick note here for future reference — SSL is used interchangeably with TLS, however TLS has replaced SSL when it comes to encryption and I’ll talk about why in later posts, but I’ll keep referring to both for now.]

SSL Certificates and How They Work

When you’re online filling out forms and applications or making transactions, you’re not concerned whether or not you’re browser itself is secure. You as a customer are more concerned with whether or not the website you’re connecting to is secure. There are several reasons why that is but here are two main reasons I’ve concluded: 1. The company is more than likely asking you for personal information (such as: your address, SSN, birth date, etc.) and not the other way around. There’s a sort of unwritten rule in life that suggests if you ask for private information, you better be in a position to keep it private. Which leads to reason number 2. Because the company is asking for personal information, it’s their responsibility to protect the communication between you and them the best they can. That being said, the company should have something in place, to keep that information private, or at least enable a secure form of communication because the customer is not too concerned with doing it. As a result, many companies and organizations add SSL certificates to their websites to ensure secure transactions and communications.

The company’s SSL Certificate initiates a secure session between the company and the customer’s browser via SSL/TLS protocol thru a multi-step process. Before we walk through this process, there are a few things to keep in mind:

The browser is the middle man you need in order to communicate with whatever website you want to go to. It’s the “let my people talk to your people, and then we’ll meet” guy in the situation. However the browser doesn’t have the intelligence to distinguish whether or not a site is legit without first establishing some level of identity.

SSL Certificates contain the following information:

Domain Name the certificate was issued to

the organization/person/device is was issued to

Certificate Authority (CA) digital signature

Associated subdomains

Certificate issue date (because it doesn’t need to be expired)

Expiration date

public key — used to encrypt and decrypt data(NOTE: All of the above information is important to know for security purposes. I will talk later about why that is in other posts)

Lastly, in order to read the data that’s encrypted (meaning data jumbled up so that no one outside of the person it was intended to go to, can read it), the data needs to be decrypted. It’s like having a secret code that only you and someone else knows. Both parties need to be able to encrypt and decrypt the information such that both parties are able to read the data. The encryption and decryption is done through private and public keys.

With those three in mind, let’s jump into SSL Certificates and how they work. Keep in mind, this is a VERY high level overview of how it works.

So as stated before, we want a secure connection between our browser and the website to ensure our information isn’t blatantly being read by some malicious, eavesdropping third party waiting for their next victim. So you the customer, attempts to connect to yourbankofchoice.com via HTTPS connection (https://www.yourbankofchoice.com). During this time, your browser makes a request for connection (HTTP) to the website (or really the web server which is hosting the website). In it’s request, it asks for some form of identity. The browser is basically asking the server, “are you this site?” and in response, the server says, “yeah, here’s some identification to verify that.” The server then provides the browser with a copy of it’s SSL Certificate, which includes the public key (remember this is needed to encrypt and decrypt data). The browser then checks the SSL Certificate using it’s list of Certificate Authorities (a list of reputable certificates) to ensure the names match up, make sure the information isn’t expired, etc. Once trusted, the browser then sends a message back to the website encrypted using the website’s public key (found in the SSL Certificate). It’s basically a final test to see if the browser and website can actually pass data back and forth through encryption/decryption. The website (web server) decrypts, reads and acknowledges the message and then returns it back to the browser with a stamp of approval (digital signature) and establishes the SSL/TLS connection.

This is all happening during the HTTP connection. Remember, HTTP is the communication channel used between the browser and the website. SSL/TLS is working on top of the established connection. It’s like having an open slide (HTTP) with a cover on top of it (SSL/TLS). Again, all this is happening before you see the website load, so none of your information is being passed at this time, just the messages between browser and website. As you see above, HTTPS basically has more steps than HTTP in terms of establishing a connection. However, these steps are necessary when trying to establish a secure form of communication.

This was a high level overview of how HTTPS, SSL/TLS and SSL Certificates work. There’s a lot of detail that happens at a lower level when it comes to establishing these secure connections. But hopefully this summary will give you a better understanding as to why you as a consumer should use HTTPS especially when sending sensitive information.