Jan 31, 2019
Why HTTPS Matters?
- Difference between HTTP and HTTPS
- How HTTPS secures us?
When browsing the internet, you were always asked to look for a padlock and https when using a website. Many times we would think, why would that matter? In this article, I am going to show you how HTTPS keeps us secure.
What happens when you access an HTTP website?
Default Port: 80
When we access an HTTP website, the communication between the client (eg: browser) and the server is not secured. What do I mean by secure? The entire communication between the client and the server happens in plain text.
Let’s take an example of a login page. I am using a dummy login form from www.stealmylogin.com/demo.html. Before loading the page, I’ve started Wireshark packet capturing.
To demonstrate that the credentials go in plain text to the server, I’ve modified the form action from https://example.com to /login.
<form action=’https://example.com’ method=’post’> </form>
<form action=’/login’ method=’post’>
Fig 1: Wireshark Packet List
Fig 2: Login Page
Fig 3: GET Request Packet Details
To request demo.html from the server, the browser performs a GET request to the server. If we observe the Fig 3, details of the page (demo.html) I am accessing are exposed.
What happens after I submit the form will actually give you a shock.
After I submitted the form a new packet trace has been recorded in the Wireshark.
Fig 4: POST Request Packet Details
The packets captured are actually exposing the username and password I have entered in the form. No!!!!
Fig 5: Response from the server is readable
What happens when you access an HTTPS website?
HTTP + SSL/TLS = HTTPS
Default port: 443
HTTPS takes HTTP protocol and layers an SSL/TLS encryption layer on top of it. When HTTPS is used, communication between the server and the client is encrypted. SSL and TLS are protocols which provide secure communication over the network. SSL is an old and deprecated protocol. TLS is an updated version and provides greater security than SSL. Although TLS is an updated version, security certificates are still referred to as SSL certificates.
Let's take the example of a search in DuckDuckGo
Fig 6: Wireshark packet list for https website
Fig 7: Encrypted communication
We cannot understand anything from the captured packets as the communication between the client and the server is encrypted. TLS Handshake protocol is responsible for the authentication and the key exchange necessary to establish a secure connection.
What’s encrypted in HTTPS?
- Domain, Sub-domains are Unecrypted
- Pages or query params and Form data are encrypted
What really happens with SSL certificates?
Both SSL and TLS protocols use asymmetric Public Key Infrastructure (PKI) system. When a browser requests for an HTTPS connection to a webpage, an SSL certificate is sent. This SSL certificate has the public key to establish a secure connection with the server.
If you use self-signed certificates you do not get the padlock on the browser instead browser shows an error “This site’s security certificate is not trusted!”.
But, how does your browser know which SSL certificates to trust? Browsers have a list of trusted CAs - Certificate Authorities which issues SSL certificates. If an SSL certificate is not from those trusted CAs then the browser will show a warning.