finocontrol logoHomeAbout UsOur CohortsHire From UsVerify CertificateCase Studies
See More
Verify Certificate
Case Studies
HomeAbout UsOur CohortHire From UsVerify CertificateCase StudiesBlogsContact UsCareers
Call UsMobile: +91 80935 55001Address: Chandrasekharpur, Bhubaneswar, Odisa, IndiaEmail: [email protected]
                   
       
                         
       
       
Cancel
whatsapp icon
it

What makes HTTPS secured?

author
Subham Mohapatra
November 09, 2020
blog thumbnail

If you ever made a website, you must have come across this HTTP vs. HTTPS conundrum. Have you ever wondered why an "S" at the end is so important? Why does Google make a fuss about it while ranking your site? Why browsers show an ugly warning to your visitors at the beginning before they can even see your site./n/nAll of that is just because the "S" at the end adds a lot of value to your website. The "S" offers protection and privacy or as one would say "SECURITY". In fact, the "S" actually stands for "secure" in the acronym.

Hmmm.. But what makes HTTPS secure?

Today we will be discussing:

1. How HTTPS offers "secured" connections?
2. What are SSL and TLS?
3. Who provides SSL Certificates?
4. What is the difference between free SSL Certificates and paid SSL Certificates?

In the early days of the internet, only a small portion of data was encrypted. The reason was most of the data on the internet, back then was meant for public consumption, with big companies flaunting their products and services.

But the tide started to change when people became more concerned about their personal information, such as their residential address, credit card information, etc. Hence there was a need for encryption on the web.

The original idea was creating encryption at the application level and send encrypted HTTP packets. But the problem was, a lot of traffic on the internet is transferred via non-HTTP protocols like WS(Web Sockets), SSH, FTP, etc. So a suggestion was made to add the layer of encryption below the application layer where it may or may not be HTTP. But above the transport layer so that decryption works on data ordered by the below transport layer.

In the 1990's Netscape Navigator came up with SSL1 for internal use followed by the SSL2 which was released to the public.

Later, SSL3 was released in 1996. But it was eventually replaced by TLS1 (Transport Layer Security) in 1999 with minor changes by IETF as a web standard. As of today (8th of November 2020), we are using TLS1.3.

Finocontrol uses TLS1.2, but we will be updating it to TLS1.3 soon.

Okay, that's enough for the history lesson. We still don't know how HTTPS or TLS works

For any form of encrypted communication to happen between two devices, they must agree on two things the cipher and the key. Sounds fancy doesn't it?

Well, the cypher is just a function with two arguments f(x,k). and the key is the secret second argument used for encryption (the "k" in the cypher function). The function f and key k must be known to derive x from f(x,k).

So what is "x" then? "x" is the data you need to send encrypted. Or in our case HTTP packet. The problem is someone might be listening (sniffing) the data packets you are sending over the internet.

Now you won't want him to get your credit card details so, you should always encrypt it with the cypher and send the encrypted data.

The most significant phase in establishing secure connections using HTTPS is the TLS Handshake. Here both the client and server agree over a key and a cypher they will be using. The problem is you can't just send the key and the cypher over the internet either because someone might sniff those as well.

During the handshake process, the client sends the cypher and the key. However, the key is transferred using the Diffie-Hellman key exchange algorithm or by using RSA encryption.

Once both the client and server have the same key, they can pass encrypted data and decrypt it on the other end.

So what is the role of Certificates and RSA Certification Authority?

The Diffie-Hellman algorithm is not widely used. RSA is much more popular at the moment. Unlike Diffie-Hellman, where a single key is used for encryption and decryption, RSA encryption uses a private and public key pair. The key encrypted with the public key of RSA can be decrypted only with the corresponding private key.

During the handshake process, the client sends a request to the server. The server responds with its public key. Finally, the client encrypts its secret key( "k" ) with the public key and sends it back to the server where it can decrypt it with its private key. Now that both client and server have the same secret key( "k" ) they can send encrypted messages back and forth.

But a hacker may intercept the message from the server and replace the public key with his own. Therefore, the client must somehow authenticate the public key from the server. Certification Authorities are third party organizations that verify your public key against your domain.

So yeah as you might have guessed by now. Free certificates are as good as paid ones.

Next time we will discuss in detail how RSA and Diffie-Hellman algorithms work and how are they different from each other, what is an RSA certificate chain and much more.

Stay tuned to finocontrol for more exciting content!!!

credits

knowledgebooster

fin logo
Get to Know UsAbout UsOur CohortsBlogsCareers
Let Us Help YouTerm & ConditionsPrivacy PolicyRefund PolicyContact Us
Contact us Mail: [email protected] Address: Chandaka Industrial Estate, Patia, Bhubaneswar, Odisha, IndiaMobile: +91 80935 55001GSTIN: 21AAHFF9203B1Z3
Social Link fb_ico x_ico ig_ico linkedin_ico
(Registered & Recognized Under Ministry of Corporate Affairs, India)
Copyright © 2025 Finocontrol India | All Right Reserved.