What is HTTPS?

Posted by Darwin Biler on June 20, 2012

You always see that when you are using Facebook, but I bet you have little or no idea what https is for.

Some of you might say, "it is simply makes my Facebook secure"

Well, that is a correct answer, but secure from what? in what way it was secured? -- those answers I guess is what most of users don't understand.

There is a bunch of articles written about HTTPS, ssl, internet security and such, but, they were all filled with jargons that only computer security experts is able to understand.

This time, I will present to you the same topic, with less jargon and funky words that is easy to understand, without knowing the technicalities and such.

To start with, let me tell you a story of 2 people trying to send out message to each other.

Bob and Alice

So Bob and Alice are good friends, they love to talk and exchange messages. One day, they want to talk about a certain thing while making sure they are the only one who can hear/read and know of.

What Bob did is, he send his message with password protection. Then told Alice the password so that she can open the message once she received it.

So Alice received both the password and the message, and she responded to that message using the same password and sent it back to Bob.

Bob was very happy upon receiving the response since he is now being able to communicate with Alice while preventing other people from knowing what they are talking about (that is because , it is only Bob and Alice knows the password)

Until one day, one of the naughty guy in their neighborhood had happened to make Bob tell him the password. All their messages was then exposed and they both need to change the passwords so that public wont sneak on their messages anymore. They do this very often, change the passwords and it worked for a week, until...

Bob keeps sending messages but Alice said she ain't receiving any message from Bob, but instead she said Bob sends him a message that he don't want to be friends with her anymore. Bob started to scratch his head confused of what happened. Then he found out that, someone tricked him, someone pretended to be Alice, thus receiving both the password and the messages, exposing again their messages to the public, then the same way, the guy also pretend to be Bob and send some message to Alice which Bob did not really sent.

Then after a long hours of thinking, Bob devised a plan. He thinks, if he can encrypt those messages using a set of particular "keys" : one to encrypt the message and one to read the message (total of 2 keys) . He can just give the "key to read the message" to Alice, while keeping with him the "key to encrypt the message" and securing it in a very secret place.

Thus, that way, if only Bob has the "key to encrypt the message" (we will call it private key), then Alice is sure that the message she is reading came from Bob and no other else who happened to know the password.

Likewise, since Bob only gave the "key to read the message" (we will call it public key) to Alice and nobody else, he knows that only Alice can read his messages, even if the passwords they are using is being stolen by someone else.

Now the question is this, since the public key is a critical file for this scheme to work, Alice needs to make sure that the public key she had received is really from Bob.

Thus, Bob's solution led to another problem - how to make sure that the public key presented was really from Bob and not from somebody else who pretends to be Bob?

After sometime, they came into an idea : what if we ask another trusted person who can justify that this public key is really from Bob. In this case, the third person should know Bob very well, and he should issue a certificate to serve as proof that it is indeed Bob.

Now, Bob passed again to Alice the public key along with a certificate from a person whom they both trust.

At this point you will notice 3 things:
1. messages are encrypted when it is passed from Bob to Alice and vice versa
2. Alice is now sure that it is Bob she is exchanging message with
3. Bob is now sure that it is Alice she is exchanging message with

It is quite a very secure connection now between Bob and Alice!

BUT, not so fast.
Think about this, given that security in place, what if, the physical wire or the signal on which the message is being sent was altered by someone else along the way?

the message would still appear a valid message from Alice or Bob. But if someone altered it when it pass along the wires, then the message is compromised.

The solution to this is along with the message the Alice had sent, she will also include a "message digest" or a signature of that message

To understand this, you can think of it as fingerprint of each message. No message can have the same "message digest"

The usefulness of this to our story was, for Bob and Alice to be assured that the message that they send to each other was not modified along its way, one can just simply get the digest message of the message itself to the digest message sent by the sender.

If the message was modified along the way, the digest message would not match since no two different message can have the same exact fingerprint or digest message.

Going back to our story you can now see this security measures:

1. messages are encrypted when it is passed from Bob to Alice and vice versa
2. Alice is now sure that it is Bob she is exchanging message with
3. Bob is now sure that it is Alice she is exchanging message with
4. Messages are ensured that it wont be tampered / modified along the way.

Bob and Alice then lived happily ever after.

Now, if you are still with me.
If you will analyze the story, the communication between Bob and Alice is actually what happens between your browser and the Facebook server

HTTPS communication means
- the data you are viewing and posting into Facebook server is encrypted
- Digital certificate was issued to Facebook by a Certificate Authority to ensure that you are indeed communicating with real facebook server rather than a fake site
- public key was installed to your browser to ensure that you are actually the one who posts data to your account and not a hacker
- each data sent back and forth was checked by facebook for its integrity to ensure that it was not tampered along the way

and that would be the secret of how https works in a most basic level. In reality, that is more complex than that, but that is the most basic concept behind that.


Did you find this useful?

I'm always happy to help! You can show your support and appreciation by Buying me a coffee (I love coffee!).