When we are online shopping or banking, we should make sure in the URL bar, it says HTTPS as the connection protocol or presence of a green padlock symbol. This indicates that the communication between the client browser and the server is encrypted. However, it does not mean that the website itself is “safe and good”.
The HTTPS is a more secure upgrade over HTTP and the ‘S’ stands for secure.
What HTTPS means technically, is that it is HTTP over SSL (Secure Sockets Layer). An SSL certificate verifies the identity of the webserver and its public key’s integrity.
Let’s take an example to see how an SSL certificate works →
- When I enter an HTTPS URL in the address bar, my browser requests secure and encrypted pages from the server.
- The server then sends my browser an SSL certificate along with a public key.
- Once my browser receives the digital certificate it checks the issuer’s(CA) digital signature to make sure that the certificate is valid. The digital certificate is created by the CA’s private key. And our browser when installed is pre-loaded with many major CA’s (Certificate Authority) public keys.
- The Green padlock appears after the verification is complete.
- Now the data transfer is initiated when the browser creates a pair of symmetric keys or a shared secret. It keeps one with itself and forwards another to the webserver. However, it is not shared simply but encrypted using the same server’s public key as a secret and then sent to the server.
- To decrypt the shared secret key the server uses its private key. And from now on, all the data shared between the server and the browser will be encrypted and decrypted with the same key.
We see how asymmetric and symmetric key algorithms work together in this example. During the verification, we saw asymmetric encryption at work and for the transfer, we saw symmetric encryption at work.