Note

'18.03

HTTPS Explained in 3 Minutes

Or I’m calling Star Platinum.

First things first, let’s talk about symmetric encryption and asymmetric encryption. Symmetric encryption is simple: you use the same key to encrypt and decrypt data, just like using the same key to lock and unlock your front door. Asymmetric encryption, on the other hand, uses two keys: a public key (which can be shared openly) and a private key (which you keep secret). These keys are a pair, and only the corresponding private key can decrypt data encrypted with the public key. Asymmetric encryption takes more time than symmetric encryption.

Why bother with asymmetric encryption if symmetric encryption is simpler?

Because if you use symmetric encryption, the key needs to be transmitted somehow, and someone could intercept it during that initial exchange.

But couldn’t someone swap out the public key during transmission with asymmetric encryption?

Yes, that’s called a man-in-the-middle attack. To prevent this, we have Certificate Authorities (CAs). Basically, a CA issues a certificate that you install on your server. This certificate contains information about your website and a digital signature. This signature is created by hashing your website information and then encrypting it with the CA’s private key. When a client verifies the certificate, they use the public key in the certificate to decrypt the hash and compare it to a hash they generate themselves. If they match, the certificate is valid.

Time’s almost up! So what are the actual steps?

  1. The client initiates an HTTPS request.
  2. The server sends back its CA-issued certificate.
  3. The client receives the certificate and verifies it. If it’s trusted (or the user chooses to trust it), the client generates a random symmetric encryption key (let’s call it Key S) and encrypts it using the public key from the certificate. This encrypted key is then sent to the server.
  4. The server receives the encrypted Key S, decrypts it using its private key, and sends a “ready” message back to the client.
  5. The client and server now communicate securely using Key S for symmetric encryption.

Why write this when there’s tons of info online?

To jog my goldfish memory in the future, of course! ・゚・(つд`゚)・゚・