HTTP vs HTTPS
What I only know about the HTTPS is
— it encrypts data when sending between client and server.
Every time I search about HTTPS, there are always some prerequisites that they suggest to understand:
- Asymmetric(private key, public key) /Symmetric encryption
- SSL, Certificate, Certificate Authority(CA)
- TLS hand shack
- Man-in-the-middle(MITM) attack
My problem is I seem like understand about those prerequisites, but I have no idea why and where is that part of the HTTPS is used it.
Right now, let forget all of them — and the prerequisites I would like you to know before looking at HTTPS is HTTP(you can find any other resource about the meaning and understand clearly, because after you understand what is http, https is almost done for you).
First of all, as standard port 80 is reserved for HTTP and 443 is reserved HTTPS.
HTTPS is the http that is secure by encrypting data over communication by using Symmetric key (both client and server has the same key to encrypt and decrypt before sending the data). We may wonder how client and server can have the same key without MITM knowing that key.
The process to create that Symmetric Key is called TLS hand shack. (TLS: Transport Layer Security) — Let’s focus on the detail in the image below:
After understanding about HTTPS. You may have some questions about it:
- Why use Symmetric key(just use server pub-key is should be enough) — symmetric key encrypt/decrypt is quite faster than asymmetric. Anyway we can see that asymmetric key also be used in TLS hand shack, while sending str2 from server to client server also attach the public key for client encrypt str3 while sending back to server to prevent from MITM.
- Why just use only string3(pre-master secret) to be key(is it necessary to combine all 3 string in order to just create new key) — ??? (I don’t know too)
- Which part Asymmetric key is used? — it is used in TLS hand shack when sending the string3(pre-master secret). This step client use the public key that get from server while server sending string2 + SSL(pub-key).
WARNING: I am a lazy one — This article is not proper proof within the official evident and enough research on this topic. So I don’t recommend to use this article as reference without your own proof. Anyways it could be a perfect brainstorming and brief for you to get some idea before reading another reliability one — Please let me know if what I have listed down is not correct — Enjoy.