How does HTTPS encryption work?

Boot.dev Blog ยป Cryptography ยป How Does HTTPS Encryption Work?
Lane Wagner
Lane Wagner

Last published January 26, 2023

Subscribe to curated backend podcasts, videos and articles. All free.

Hypertext Transfer Protocol Secure or HTTPS is an extension of the HTTP protocol. HTTPS secures the data transfer between client and server by encrypting all of the information communicated.

HTTPS allows a client to safely share sensitive information with a server through an HTTP request. HTTPS is critically important when it comes to sending sensitive data such as credit card information, passwords, or bank account numbers.

How does HTTPs work? (video) ๐Ÿ”—

Subscribe to my YouTube channel if this video was helpful!

Too long, didn’t watch ๐Ÿ”—

In short, HTTPS works like this:

  1. The client contacts the server and requests a secure connection
  2. The server sends the client its public key
  3. The client and the server use asymmetric encryption (like RSA) to negotiate a shared private key
  4. The shared private key is used by the client to encrypt the HTTP request (using symmetric encryption like AES)
  5. The server uses the shared private key to decrypt the HTTP request
  6. The server uses the shared private key to send the client an encrypted response
  7. The client uses the shared private key to decrypt the response

HTTPS is just HTTP with extra security ๐Ÿ”—

HTTPS

HTTPS requires that the client use SSL or TLS to protect requests and traffic by encrypting the information in the request.

When should I use HTTPs? ๐Ÿ”—

While HTTPS is only critically important when it comes to sensitive data, it’s a good idea to just use HTTPS for all of your web traffic. If you browse a website that doesn’t use HTTPS, your browser will actually give you an ugly little warning to let you know that the site is not as secure as it should be.

no http browser

If you develop websites, use HTTPS.

Careful! HTTPS is not necessarily private ๐Ÿ”—

Just because a website uses HTTPS doesn’t mean that your communication with them is private.

HTTPS keeps your messages private, but not your identity ๐Ÿ”—

It’s important to note that while HTTPS encrypts what you are saying, it doesn’t necessarily protect who you are. Tools like VPNs (virtual private networks) are needed for remaining anonymous online.

If you use a VPN, the company that runs the VPN is responsible for keeping your identity private. There is another option for privacy called a TOR network, which is a network of computers that are all connected. The TOR network, which you can use via a Tor browser, is designed to keep your identity anonymous, but it effectively adds another layer of privacy. You can use a VPN and a Tor browser if you’re really concerned about your privacy.

In short, HTTPS keeps your messages private, but not your identity or the identity of the server you’re communicating with. VPNs and TOR networks can help with that.

HTTPS ensures that you’re talking to the right person (or server) ๐Ÿ”—

In addition to encrypting the information within a request, HTTPS uses digital signatures to prove that you’re communicating with the server that you think you are. If a hacker were to intercept an HTTPS request by tapping into a network cable, they wouldn’t be able to successfully pretend they are your bank’s web server.

Find a problem with this article?

Report an issue on GitHub

Related Articles