HTTPS and TLS
~280 words ยท 2 min read
Why HTTPS?
Plain HTTP sends data in the clear โ anyone on the path can read it. HTTPS wraps HTTP in TLS (Transport Layer Security), giving you three things:
- Encryption โ the data is unreadable to eavesdroppers.
- Authentication โ you're really talking to the site you think.
- Integrity โ the data can't be silently altered in transit.
The TLS handshake
Before any HTTP flows, client and server perform a handshake:
- Client Hello โ the browser sends supported ciphers and a random value.
- Server Hello โ the server picks a cipher, sends its certificate and a random value.
- Key exchange โ both sides derive a shared secret.
- Finished โ encrypted communication begins.
The handshake mixes asymmetric crypto (to safely agree on a secret) with symmetric crypto (to encrypt the bulk traffic, which is far faster).
Symmetric vs asymmetric
- Symmetric โ one shared key encrypts and decrypts. Fast, but both sides must already have the key.
- Asymmetric โ a public/private key pair. What one encrypts, only the other can decrypt. Slow, but solves the key-sharing problem.
Certificates and authorities
A certificate binds a public key to a domain name. A Certificate Authority (CA) is a trusted third party that signs that binding. Your browser trusts a CA, the CA vouches for the site, so you can trust the site's key.
Let's Encrypt
Historically, certs cost money. Let's Encrypt is a free, automated CA that made HTTPS ubiquitous โ it issues certs via a scriptable protocol, so servers renew them automatically.