Skip to content

Instantly share code, notes, and snippets.

@sidd-kulk

sidd-kulk/https.md

Created April 28, 2025 10:31
Show Gist options
  • Save sidd-kulk/c942f85224ab2a755432d9dc15230746 to your computer and use it in GitHub Desktop.
Save sidd-kulk/c942f85224ab2a755432d9dc15230746 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
https.md

Okay, let's break down this diagram of the HTTPS process step-by-step from the perspective of a security and network software engineer.

HTTPS stands for Hypertext Transfer Protocol Secure. It's essentially the standard HTTP protocol layered on top of a secure channel created using the TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer) protocol. The diagram provides a good, albeit simplified, overview of establishing this secure channel and using it.

Here's a detailed explanation of each stage shown:

## 1. TCP Handshake

  • Purpose: Before any secure communication (TLS/SSL) can happen, a reliable network connection needs to be established between the client (e.g., your browser) and the server (the website's server). HTTPS uses TCP (Transmission Control Protocol) for this reliability.
  • Steps:
    • Client -> Server: TCP SYN: The client initiates the connection by sending a TCP segment with the SYN (Synchronize) flag set. This packet includes an initial sequence number.
    • Server -> Client: TCP SYN + ACK: The server receives the SYN, allocates resources for the connection, and responds with a TCP segment that has both the SYN flag set (with its own initial sequence number) and the ACK (Acknowledge) flag set. The ACK acknowledges the client's initial SYN.
    • Client -> Server: TCP ACK: The client receives the server's SYN+ACK and sends back a final ACK segment, acknowledging the server's SYN.
  • Outcome: A stable, reliable, bidirectional TCP connection is established. Data can now be sent, but it's not yet encrypted or authenticated.

## 2. Certificate Check (Beginning of the TLS Handshake)

  • Purpose: This phase initiates the secure session setup. The client and server agree on cryptographic parameters, and critically, the server proves its identity to the client.

  • Steps:

    • Client -> Server: Client Hello: The client sends its first TLS message. It typically includes:
      • The highest TLS protocol version it supports.
      • A list of cryptographic cipher suites it supports (combinations of algorithms for key exchange, bulk encryption, and message authentication).
      • A random number (client_random) used later in key generation.
      • Optionally, compression methods and extensions (like SNI - Server Name Indication, which allows the client to specify which hostname it's trying to reach, crucial for servers hosting multiple sites on one IP).
    • Server -> Client: Server Hello: The server responds, choosing the parameters for the session from the client's offered list:
      • The selected TLS protocol version.
      • The chosen cipher suite from the client's list.
      • The server's own random number (server_random).
    • Server -> Client: Certificate: This is a crucial step for authentication. The server sends its digital certificate (usually in X.509 format). This certificate contains:
      • The server's domain name.
      • The server's public key.
      • Information about the server owner.
      • A digital signature from a trusted Certificate Authority (CA).
    • Client-Side Verification (Critical step, not explicitly shown but implied by "Certificate Check"): The client performs several vital checks on the received certificate:
      • Trust: Does it trust the CA that signed the certificate? (Browsers/OS have a list of trusted root CAs).
      • Validity: Is the certificate within its valid date range? Has it been revoked? (May involve OCSP or CRL checks).
      • Hostname Match: Does the domain name in the certificate match the domain name the client intended to connect to? (Prevents man-in-the-middle attacks).
    • Server -> Client: Server Hello Done: The server indicates it has finished sending its initial set of handshake messages.

  • Encryption Highlighted: The diagram correctly points to Asymmetric Encryption principles here. The server's certificate contains its public key, which is part of the asymmetric key pair. This public key will be used by the client in the next step (Key Exchange) to encrypt something only the server (with its private key) can decrypt, or it's used to verify signatures in other key exchange methods (like Diffie-Hellman).

## 3. Key Exchange (Completing the TLS Handshake)

  • Purpose: The client and server now securely establish a shared secret key (the session key) that will be used for efficient symmetric encryption of the actual application data.

  • Steps:

    • Client -> Server: Client Key Exchange: The content of this message depends heavily on the chosen cipher suite.
      • If using RSA key exchange (implied by the diagram's simplicity): The client generates a pre-master secret, encrypts it using the server's public key (from the certificate), and sends the encrypted pre-master secret to the server. Only the server, possessing the corresponding private key, can decrypt this.
      • If using Diffie-Hellman (e.g., DHE, ECDHE - more common for Perfect Forward Secrecy): The client sends its own Diffie-Hellman public parameters. The pre-master secret is then calculated independently by both sides using their own private keys and the other party's public parameters. (Note: In this case, the server might also send a Server Key Exchange message earlier).
    • Derivation of Session Keys (Implied Step): Both the client and server now possess the client_random, server_random, and the (now shared) pre-master secret. They use a Pseudo-Random Function (PRF) specified by the TLS protocol to independently derive the same master secret, and from that, the actual session keys (symmetric keys for encryption and keys for message authentication - MAC keys). Typically, separate keys are derived for client-to-server and server-to-client communication.
    • Client -> Server: Change Cipher Spec: A signal (not an encrypted message itself) indicating that the client is switching to using the newly negotiated cipher suite and keys. All subsequent messages from the client will be encrypted.
    • Client -> Server: Finished: The first encrypted message from the client. It contains a hash or MAC of all preceding handshake messages. This verifies that the handshake has not been tampered with and that both parties successfully calculated the same keys.
    • Server -> Client: Change Cipher Spec: The server signals it is now switching to encryption using the negotiated session keys.
    • Server -> Client: Finished: The server's first encrypted message, verifying its view of the handshake integrity.

  • Key Concepts Highlighted: The diagram shows the concept of the session key being established. It depicts an encrypted session key being sent, which is conceptually close to the encrypted pre-master secret in RSA key exchange. The key takeaway is that a shared secret is established using asymmetric principles (public/private keys) during this phase.

## 4. Data Transmission

  • Purpose: Securely exchange the actual application data (e.g., HTTP GET/POST requests and HTML/image/etc. responses).
  • Steps:
    • Client <-> Server: Encrypted Data: All communication between the client and server from this point on (until the session closes) is encrypted using the session key and the symmetric encryption algorithm agreed upon in the handshake (e.g., AES). Message Authentication Codes (MACs) are also typically used to ensure the integrity and authenticity of each message.
  • Encryption Highlighted: The diagram correctly associates Symmetric Encryption with this phase. Using the shared session key, both parties can encrypt and decrypt the data efficiently. This is much faster than asymmetric encryption, making it suitable for potentially large amounts of application data.

## Verification of Diagram Correctness

  • Strengths:

    • Overall Structure: The diagram correctly depicts the main phases: TCP setup -> TLS Handshake (Certificate Check + Key Exchange) -> Secure Data Transmission.
    • Key Message Flow: It shows the essential messages involved in the TCP and a simplified TLS handshake (Hello, Certificate, Key Exchange, Finished, Change Cipher Spec).
    • Encryption Types: Correctly associates asymmetric cryptography with the handshake/key agreement phase and symmetric cryptography with the bulk data transfer phase.
    • Key Concepts: Clearly illustrates the roles of public/private keys and the session key.

  • Weaknesses/Simplifications:

    • Certificate Verification: The crucial client-side verification steps (checking CA trust, validity, hostname) are not explicitly shown, which is a major part of the security provided by HTTPS.
    • Key Exchange Mechanism: It simplifies the key exchange. Modern HTTPS heavily relies on Diffie-Hellman variants (ECDHE) for Perfect Forward Secrecy (PFS), which involves slightly different message flows (e.g., potential Server Key Exchange message) and mechanism than the implied RSA exchange. The diagram's depiction of sending an "encrypted session key" is more aligned with the older RSA method where a pre-master secret is encrypted.
    • Session Key Derivation: The process of deriving the actual session encryption and MAC keys from the pre-master secret, client random, and server random is omitted for simplicity.
    • Message Authentication: Doesn't explicitly mention the use of Message Authentication Codes (MACs) alongside encryption during data transmission, which are essential for data integrity.
    • TLS Versions: The handshake shown is more representative of TLS 1.2 or earlier. TLS 1.3 significantly optimizes and changes the handshake flow (e.g., fewer round trips, encrypting more of the handshake).
    • Server Authentication Only: The diagram depicts the most common scenario where only the server is authenticated (via its certificate). TLS also supports mutual authentication where the client also presents a certificate, but this is less common for web Browse.

## Conclusion:

The diagram provides a good high-level conceptual overview of how HTTPS works, correctly identifying the main stages and the types of cryptography involved in each. However, as an engineer, it's important to recognize its simplifications. It omits crucial details like certificate validation steps, the specifics of modern key exchange algorithms (like ECDHE for PFS), the role of MACs for integrity, and the nuances introduced by different TLS versions (especially TLS 1.3). While useful for a basic understanding, a deeper dive is needed for a complete grasp of the security guarantees and mechanisms involved.

@sidd-kulk
Copy link
Author

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment