HTTPS (Hypertext Transfer Protocol Secure)
HTTPS is the secure version of HTTP. It is a communication protocol used to encrypt and authenticate data communication between a web server and a client (browser) by adding a security layer (SSL/TLS). This is why a website's URL begins with https instead of http.
1. Composition and Role of HTTPS
HTTPS is a combination of two protocols:
$$\mathbf{HTTPS} = \mathbf{HTTP} \quad + \quad \mathbf{SSL/TLS}$$
① HTTP (Hypertext Transfer Protocol)
The protocol responsible for transferring the actual data (HTML, images, JSON, etc.).
② SSL/TLS (Secure Sockets Layer/Transport Layer Security)
The security layer responsible for encrypting the data and verifying the server's identity. (TLS is the modern successor to the older SSL protocol).
2. The Three Security Principles of HTTPS (CIA Triad)
HTTPS ensures all three fundamental security goals during communication:
| Principle | Role | Achieving Technology |
|---|---|---|
| Confidentiality | Encrypts the data so it cannot be read if intercepted | Symmetric Encryption (AES) |
| Integrity | Verifies that the data has not been altered during transmission | Hashing Functions (SHA) |
| Authentication | Proves the server is legitimate via the SSL/TLS certificate | Asymmetric Encryption (RSA) and CA signature |
3. Working Principle: The SSL/TLS Handshake
The handshake is the initial process where the client and server authenticate each other and securely exchange the encryption keys.
- Client Hello: The browser sends a message requesting to start SSL/TLS communication.
- Server Hello (Cert Send): The server responds with its SSL/TLS Certificate (including its Public Key).
- Client Verification: The browser verifies the certificate against trusted CA (Certificate Authority) lists to authenticate the server's identity.
- Key Exchange: The browser and server securely generate and exchange a Symmetric Key using the Asymmetric Encryption (like RSA or Diffie-Hellman) found in the certificate.
- Encrypted Communication: They switch to the fast Symmetric Key to encrypt and decrypt the HTTP data, beginning a secure and efficient connection.