
How HTTPS works - AndrewDucker
https://howhttps.works/
======
AndrewStephens
I found the layout confusing but stuff like this is desperately needed.
Encryption is a difficult subject but so important to how the Internet
functions; the better people understand the concepts the better decisions they
will make.

I tried to explain explain how the web browser retrieves a web page (including
HTTPS) in simple terms once; the resulting text quickly got away from me[0] so
I respect the creators of this for trying.

[0]
[https://sheep.horse/2017/10/how_you_are_reading_this_page.ht...](https://sheep.horse/2017/10/how_you_are_reading_this_page.html)

------
decebalus1
I may very well be an old curmudgeon but am I the only one who doesn't like
all this comic-y cutesy content? They seem to be a rebranded version of the
old `Idiot's guide to X` which were ubiquitous in the '90s. Yes, I'm also
talking about stuff like `Clojure for the brave and true` or `Learn you a X
for the greater good`. Does anyone actually benefit from this content? I look
at it and it seems to be targeted to 10 year olds. Are we as an industry
getting dumber?

For this specific subject, instead of reading about the `adventures of
Certificat, Browserbird, and Compugter` can we just read something like
[https://hpbn.co/transport-layer-security-tls/](https://hpbn.co/transport-
layer-security-tls/) ?

~~~
Reedx
> can we just read something like [https://hpbn.co/transport-layer-security-
> tls/](https://hpbn.co/transport-layer-security-tls/) ?

Yep, we have that option and lots of explanations like that already exist.

This is a different approach to explaining the subject. I don't see how that's
a problem. Personally I think they just went overboard with it (to the point
of being distracting), but I get what they're trying to do and appreciate the
effort - even if it's not for me. Kudos I say. Others might find it useful.
Plus it could inspire someone else to explore another approach.

~~~
scrollaway
I mean, the OP's comic is just... really, really hard to read. It's not a
medium problem, it's a layout/font/design problem.

I think GP is just hating on the wrong thing. Comics are fine, and having that
_as well_ as the technical explanations, is fine.

I agree with a commenter further down wrt. the immensely popular "For Dummies"
series which manages to make various complex subjects more accessible. I also
think this type of webcomic can be really well done. Chrome's webcomic springs
to mind:

[https://www.google.com/googlebooks/chrome/big_00.html](https://www.google.com/googlebooks/chrome/big_00.html)

~~~
Reedx
Spot on. A few UX and editing passes would make a world of difference.

------
comboy
OK, cute, but why? Who is the target here? Distraction to content ratio seems
pretty high.

~~~
rockdiesel
>but why?

Content marketing and SEO purposes for the parent company, dnsimple.

------
brink
Why am I having such a hard time remembering that the dog is the computer and
the cat is the certificate while reading this?

~~~
egypturnash
Because it barely spends any time setting that up, for one thing. It would
probably be a bit more memorable if the characters actually said things like
“Hi! I’m Compugter! I sit on your desk or in your lap and talk to the Internet
for you!”; instead there is just a panel with a tiny label floating off to one
side.

Or maybe it should be “Hi! I’m Compugter, I sit in a rack in a puppy farm
somewhere, and talk to the browserbird in your hand or lap or desk”? It really
doesn’t define its terms at _all_ before launching into a description of a
man-in-the-middle attack. This is just not well-written, and no amount of cute
drawings will cover for that, no matter how well done they are.

------
hannob
I skimmed over it and it seems to be a bit dated. The handshake description is
basically a static RSA key exchange. This is deprecated in TLS 1.3 and largely
unused even in older TLS versions, because it's horrible. (I wrote a paper to
show how horrible it is.)

Unfortunately I see this quite often that people are simply not up to date
when it comes to crypto.

~~~
commandlinefan
> I wrote a paper

I'd be curious to read that paper, if you don't mind sharing a link - I
recognize your name from the TLS mailing list, but I don't recall seeing that
paper referenced there, and everything I google is in German...

------
ecesena
Pretty amazing, congrats to the authors.

As a technical person I don’t particularly love privacy = confidentiality, but
I understand the desire to simplify.

If you’re looking for something next, I vote for phishing. We tried to make a
short explanatory video, but it’s not even remotely cool as this one!
[https://twitter.com/_conorpp/status/1036751355346595840](https://twitter.com/_conorpp/status/1036751355346595840)

------
bradenb
I found this really hard to read. At first I tried to read left-to-right, top-
to-bottom, but then it felt like the "panels" (or lack thereof) were not
lining up. Then I thought "Oh! It must be three columns top-to-bottom" so I
tried that then realized I was missing content and that I was right the first
time.

I'd love to see you lay this out a bit differently. Apart from that, I love
the content. Thanks.

------
lozenge
Self signed certificates do not prove integrity. A crab in the middle can
generate another self signed certificate for the same domain name and your
browser will not know that it isn't the one you expected.

The only workaround is to manually add the certificate to the root store. But
this depends on securely receiving the certificate - say by physically
transferring it from one computer to another by USB stick.

------
blr246
A major problem with this is that non-expert users might interpret it to mean
that the "green lock" always means everything is ok. That is dangerous advice
since it's possible to publish a phishing site having proper SSL. Users need
more context than what is offered here to avoid becoming victims of phishing
scams.

I also found the content itself difficult to read in both layout and copy. The
character names were confusing, and I don't think the three concepts of
privacy, integrity, and identity were conveyed in a clear enough sense so that
a non-expert could interpret how those are actually 3 different things.

------
arayh
I like the light-hearted direction taken to explain HTTPS, but I personally
find the narrative difficult to read and follow.

It might be unfair for me to compare the two, but I do like Randall's approach
to explaining Heartbleed [https://xkcd.com/1354/](https://xkcd.com/1354/)
because it feels like it has a better flow.

I'd definitely like to see this idea get expanded upon and improved, so I can
feel confident about forwarding this link to non-technical users who are
interested in learning how the Internet works. I also agree with doing one of
these on phishing.

