How does the HTTPS protocol work?
HTTPS what is it and why it appears in almost all the web pages we visit
When we browse the internet we access different web pageseach with one unique address that differentiates it from the others, in order to always be able to locate it, as if it were a postal address. those directions give page informationbeing sometimes related to their contents or indicating the main page in case it is a sub page, but there are several fields that are always there in a web address or URL, such as a page prefixsuch as www, or a termination or suffix to close the main address such as .com, .net, .es… each field giving information about the page and its server.
But there are not only those fields in the URL, there are times that we can find other optional ones that not all browsers show, like HTTPSwhich appears as prefix and has no direct relation to the URL of the page. For example, if we want to access Google we can write www.google.es or https://www.google.es and both will take us to the same page. In fact, on some websites if you enter their address with the “https://” you will not be able to access them because not necessarily all websites need to have this protocol implemented.
This is because the HTTPS is not part of the URL nor does it refer to the content or characteristics of the web address, but to communication that this website does with your computer and vice versa, so that if the website does not support it or supports the HTTP version (without the final “s”), we will not be able to communicate correctly by entering it in the URL. That is the reason why browsers they add it automatically when we enter a web address, since it is a communication protocol, it is not possible to know the compatibility of a page until you try to establish a connection with it.
So that, HTTPS is a communication protocolor rather, it is a HTTP protocol extension of web communication, which was created at the beginning of the World Wide Web and is the basis for hyperlinks between different web pages. So HTTPS is an addition to HTTP that focuses on ensuring the security of communications on a network wearing SSL or TLS certificates, Hence, when a page uses it, a padlock appears in the browser bar or it is related to the fact that the site is safe, which is why its use is becoming more and more widespread, although it does not always mean that everything is safe, as we will see. later.
The operation of HTTPS protocol It is based on a very simple principle: the certificates. These certificates are SSLwhich are older certificates of a system developed to guarantee secure communication between server and client, or the TLSwhich are its successors, more modern and secure.
These certificates will be stored on the servers of the web pages and will mainly serve three purposes:
- Guarantee the privacy of communications, for which third parties unable to read communications information between the web and the server, so that if it is sensitive or confidential information such as a password or personal data, they are kept safe.
- Ensuring the integrity of the information exchanged with the server, Thus, none of the parties involved in the communication between the server and the client, such as other servers or routersthey cannot alter the information and introduce malicious content in the messages.
- Identify the parties involved in the exchange of information, which is important so that no one can supplant the identity of the parties that communicate, generating a unique digital signature for each device and thus be able to identify that it is indeed the one that has sent that message and not another computer or server pretending to be it.
These functions are done by the HTTPS protocol using asymmetric cryptographyor what is the same, a way of encrypting messages based on the use of two cryptographic keys, one for encryption and one for decryption. All devices generate a pair of keysthe one used for the encryption of each message is a public key, so that anyone can see it and will use it to send a message, which it can only be decrypted with your other assigned key from that devicewhich is private and only the device that generates it has access, so everyone can send encrypted messages that only the recipient can read.
But first, the server and the client will have to agree on how to communicate, which is what is known as handshake whereby the client sends its public key to the server and gives its security preferences, to which the server responds with a master key which will be the one they will use to communicate for the rest of the session and their preferred security option from the options provided by the client. Then both sides check the security certificates to make sure they are true, and finally, if all the above steps are successful, communication is established as secure.
Now how do we know that those certificates are correct? well that depends on who sign the certificatethere are different companies that have authentication servers that you can pay to effectively recognize that this certificate has a validity and that you are who you say you are, although other websites, especially the smaller ones, tend to opt for sign that certificate themselveswhich is why sometimes when entering small blogs or other websites, the message appears that the website may not be secure as it is itself the signer of its HTTPS certificate.
HTTPS does not mean total security
But even so that a page has an HTTPS certificate and that the padlock appears in our browser does not mean that page is safeand this is a very important detail because it is sometimes understood that all pages with HTTPS are completely secure, when, as we have just seen, this protocol it only ensures integrity and security in communicationbut not the web page itself.
Therefore, if we connect to a fraudulent web page, this could be HTTPS and that will mean that we will communicate with her securely, but not that its content is. Something to keep in mind, since you always have to be careful and HTTPS, even if it is necessary for our data to be sent securely, there is little you can do if the server we are sending it to is not secure such as can be a phishing website or some page for steal social media credentials.