Jan 31, 2019

Why HTTPS Matters?


Key Takeaways

  • Difference between HTTP and HTTPS
  • How HTTPS secures us?

When browsing the internet, you were always asked to look for a padlock and https when using a website. Many times we would think, why would that matter? In this article, I am going to show you how HTTPS keeps us secure.

https padlock

What happens when you access an HTTP website?

Default Port: 80

When we access an HTTP website, the communication between the client (eg: browser) and the server is not secured. What do I mean by secure? The entire communication between the client and the server happens in plain text.

Let’s take an example of a login page. I am using a dummy login form from www.stealmylogin.com/demo.html. Before loading the page, I’ve started Wireshark packet capturing.

To demonstrate that the credentials go in plain text to the server, I’ve modified the form action from https://example.com to /login.

<form action=’https://example.com’ method=’post’>
</form>

<form action=’/login’ method=’post’>

</form>


Wireshark Packet list

Fig 1: Wireshark Packet List

Login Page

Fig 2: Login Page

GET request packet details

Fig 3: GET Request Packet Details

To request demo.html from the server, the browser performs a GET request to the server. If we observe the Fig 3, details of the page (demo.html) I am accessing are exposed.

 What happens after I submit the form will actually give you a shock.

After I submitted the form a new packet trace has been recorded in the Wireshark.

POST request packet details

Fig 4: POST Request Packet Details

The packets captured are actually exposing the username and password I have entered in the form. No!!!!

Response from the server

Fig 5: Response from the server is readable

What happens when you access an HTTPS website?

HTTP + SSL/TLS  = HTTPS

Default port: 443

HTTPS takes HTTP protocol and layers an SSL/TLS encryption layer on top of it. When HTTPS is used, communication between the server and the client is encrypted. SSL and TLS are protocols which provide secure communication over the network. SSL is an old and deprecated protocol. TLS is an updated version and provides greater security than SSL. Although TLS is an updated version, security certificates are still referred to as SSL certificates.

Let's take the example of a search in DuckDuckGo

HTTPS packet capture

Fig 6: Wireshark packet list for https website

Encrypted Communication

Fig 7: Encrypted communication

We cannot understand anything from the captured packets as the communication between the client and the server is encrypted. TLS Handshake protocol is responsible for the authentication and the key exchange necessary to establish a secure connection.

What’s encrypted in HTTPS?

  • Domain, Sub-domains are Unecrypted
  • Pages or query params and Form data are encrypted

What really happens with SSL certificates?

Both SSL and TLS protocols use asymmetric Public Key Infrastructure (PKI) system. When a browser requests for an HTTPS connection to a webpage, an SSL certificate is sent. This SSL certificate has the public key to establish a secure connection with the server.

If you use self-signed certificates you do not get the padlock on the browser instead browser shows an error “This site’s security certificate is not trusted!”.

But, how does your browser know which SSL certificates to trust? Browsers have a list of trusted CAs - Certificate Authorities which issues SSL certificates. If an SSL certificate is not from those trusted CAs then the browser will show a warning.

Free SSL/TLS certificates

There are many providers which provide free SSL certificates. Among them, Lets Encrypt and cloudflare are quite popular.

References

[1] How https actually work?

[2] TLS Handshake Protocol

[3] What does https do?

Goutham Pilla

Security