โ† Networking Fundamentals

HTTPS and TLS

~280 words ยท 2 min read

Why HTTPS?

Plain HTTP sends data in the clear โ€” anyone on the path can read it. HTTPS wraps HTTP in TLS (Transport Layer Security), giving you three things:

  • Encryption โ€” the data is unreadable to eavesdroppers.
  • Authentication โ€” you're really talking to the site you think.
  • Integrity โ€” the data can't be silently altered in transit.

The TLS handshake

Before any HTTP flows, client and server perform a handshake:

  1. Client Hello โ€” the browser sends supported ciphers and a random value.
  2. Server Hello โ€” the server picks a cipher, sends its certificate and a random value.
  3. Key exchange โ€” both sides derive a shared secret.
  4. Finished โ€” encrypted communication begins.
The handshake mixes asymmetric crypto (to safely agree on a secret) with symmetric crypto (to encrypt the bulk traffic, which is far faster).

Symmetric vs asymmetric

  • Symmetric โ€” one shared key encrypts and decrypts. Fast, but both sides must already have the key.
  • Asymmetric โ€” a public/private key pair. What one encrypts, only the other can decrypt. Slow, but solves the key-sharing problem.

Certificates and authorities

A certificate binds a public key to a domain name. A Certificate Authority (CA) is a trusted third party that signs that binding. Your browser trusts a CA, the CA vouches for the site, so you can trust the site's key.

Let's Encrypt

Historically, certs cost money. Let's Encrypt is a free, automated CA that made HTTPS ubiquitous โ€” it issues certs via a scriptable protocol, so servers renew them automatically.