
How HTTPS works – Explained in layman terms - animeshg
https://medium.com/@animeshgaitonde/how-https-works-part-1-building-blocks-64f9915b1f39
======
BrandoElFollito
A random hacker is not likely to intercept your HTTP message. They would need
to be on the way between your browser and the target site.

A more realistic case is an enterprise network or an ISP.

~~~
bagol
Yeah. My ISP is doing exactly that. HTML pages over HTTP are injected with
some javascript code. Sadly, it's the only ISP available in the entire
country.

~~~
BrandoElFollito
A solution is to go through a VPN, they will see a steady stream of encrypted
data.

~~~
speedgoose
It's just pushing the problem. Now you need to trust the VPN.

~~~
isalmon
Right, but when it comes to VPN, as oppose to ISP, you have hundreds of
choices, so you can pick one that you can trust.

------
newscracker
Some minor points. I’ve not seen HTTPS written as HTTPs before. It stands for
Hypertext Transfer Protocol Secure, and is not the plural of HTTP (one HTTP,
two HTTPs, three HTTPs, etc.).

The proper name for certificates is TLS certificates, even though many people
still use the word SSL for it (which refers to a deprecated protocol that’s
not used anymore). It’s fine to use SSL, but omitting TLS isn’t a good idea.

~~~
animeshg
Ack. I will rectify HTTPS to HTTPs. While writing I had the same doubt.

It's TLS certificate now. In the next article, I'll be adding a small note on
the history of SSL to TLS.

------
pvtmert
Hi there. The image named 'Asymmetric Key encryption' seems wrong. You may
want to fix it.

Eg. Contradicts with wikipedia article: [https://en.wikipedia.org/wiki/Public-
key_cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)

~~~
animeshg
Thanks Buddy. I have corrected it.

------
genry
Just to clarify, encryption happens with the public key and decryption with
the private.

~~~
tialaramex
This probably doesn't help because in practice that's not how it's done at
all.

For a modern HTTPS connection what happens is that two participants use a Key
Agreement process which results in them both knowing a random secret that
nobody else knows. This secret is _ephemeral_ which means once the connection
closes they'll both forget what it was.

They both use this shared secret to choose the same several _symmetric_ keys
and use those keys to encrypt (and decrypt) the actual HTTP traffic.

For HTTPS in particular the main asymmetric cryptography is used for
signatures, proof that this is really news.ycombinator.com for example. Your
web browser doesn't encrypt messages to news.ycombinator.com but after Key
Agreement happens the server will send a message proving it participated in
this agreement you've just done, signed using its private key, and your
browser uses the public key to check that this is a genuine signature.

------
Waterluvian
If trying to speak to the layperson I think lines like this can be misleading:

"When you are sending a message over HTTP, anyone on the network can see what
message is being sent. Further, anyone can intercept the message, modify it
and send it to the server."

To me a network is a graph of clients and servers and peers. Ie. Nodes on your
graph that your message doesn't visit. The above sentence suggests that those
peer nodes can somehow grab your message on its way and modify it, even if
your message isn't routing through that node.

Or maybe that is actually the case?

~~~
newscracker
Peer nodes on a local network can see all messages, even those not addressed
to them, since the common model is broadcasting packets and selectively
processing them on each client and ignoring packets intended for others (in
promiscuous mode, one can capture packets in the local network from all
devices, but those packets may or may not contain encrypted data). I’m not
sure about modifying the read packets and sending them across though — that
would require a more sophisticated attack on the gateway or router and the
sending device, in my understanding, which means it’s no longer a peer but an
interceptor sitting in between.

~~~
abhishekjha
Wouldn’t a packet be destined from router to only one client having the
internal IP address of that client? In this case other peers on the same
network won’t know if any communication happened between the router and that
peer. Same for when a node sends packets to the gateway.

~~~
newscracker
No, that’s not how local networks work. Whether wired Ethernet or wireless
with WiFi/Bluetooth, every packet sent from one device or from the
router/gateway is seen by every other device in the same network (the same
router or gateway boundary). By default, devices choose to act only on the
packets addressed to them, and ignore the others. This is why using HTTP (not
HTTPS) on a public WiFi network is a risk because everyone else around, if
they want to, can sniff and read all the packets and know what exactly you’re
up to.

------
mcny
It is amazing to me that the air India website doesn't use https. What is
going on there?

~~~
dan1234
It looks like the site is just static content. The login/register form goes
off to a different domain which is TLS secured.

~~~
Wingy
But the attacker could alter the static site to use HTTP on the login/register
form.

------
seemslegit
Why should the layman care about how HTTPS works ?

~~~
animeshg
The article is not for the layman but for beginners who are interested in
knowing the internals of HTTPS. The explanation is in layman terms. You can
find plenty of literature on https online but it's not necessary you would
grasp everything in a blink of an eye.

~~~
seemslegit
Let's be honest here, the article is to demonstrate that you have some grasp
of how https works.

In particular the statement "They confirm the identity of the certificate
owner & provide proof that a certificate is valid. " is dangerously misleading
for the "layman" as the basic HTTPS certificate issuance does not involve any
sort of owner identity confirmation, just that whoever requested the
certificate had control of the DNS record for that domain at the time of the
request.

~~~
animeshg
Thanks for the feedback, I'll find ways to simplify this & explain it in lucid
terms so that readers don't find it difficult to comprehend.

