TLS (Transport Layer Security) and HTTPS (Hyper Text Transfer Protocol Secure) are closely related concepts used in the context of securing data communication over the internet.
While they are often mentioned together, they serve different purposes.
Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication between two parties (e.g., a client and a server) over a computer network.
It ensures that the data being transmitted is confidential, authenticated, and has not been tampered with.
Stay One Step Ahead of Cyber Threats
TLS is the successor of the older protocol SSL (Secure Sockets Layer) and is often used interchangeably with it, although SSL is considered deprecated.
Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the HTTP protocol, which is the foundation of data communication on the World Wide Web.
HTTPS uses TLS (or, in older cases, SSL) to encrypt the communication between the client (typically a web browser) and the server.
When you see a website URL starting with “https://” in your browser’s address bar, it indicates that the connection is secured by TLS/SSL, and any data transmitted between you and the website is encrypted and secure.
TLS is a security protocol that provides encryption and authentication for data transmission over a network, while HTTPS is a secure implementation of the HTTP protocol that uses TLS to protect the data being transmitted between a client and a server.
HTTP (Which Doesn’t Use TLS) and HTTPS (Which Uses TLS)
How HTTP Works
|1||Client||Sends an HTTP request to “http://example.com”|
|2||Server||Receives the request and sends back the requested data as an HTTP response|
|3||Client||Receives the data and displays the website content; in this scenario, the data transmission is not encrypted, making it vulnerable to eavesdropping and tampering|
Illustration of HTTP
Client (browser) -> Server (website) GET /index.html HTTP/1.1 Host: example.com Server -> Client HTTP/1.1 200 OK Content-Type: text/html <!DOCTYPE html> <html> <head> <title>Example Website</title> </head> <body> <p>Welcome to the example website!</p> </body> </html>
How HTTPS Works
|1||Client||Sends an HTTPS request to “https://example.com”|
|2||Server||Responds with its TLS certificate, which includes the server’s public key and other information that helps establish a secure connection|
|3||Client||Validates the certificate and, if trusted, generates a symmetric key, encrypts it with the server’s public key, and sends it back to the server|
|4||Server||Decrypts the symmetric key using its private key; both the client and the server now have the same symmetric key to encrypt and decrypt the data|
|5||Client and Server||They use the established symmetric key to encrypt and decrypt all data transmitted between them, ensuring confidentiality, authentication, and integrity|
|6||Client||Receives the encrypted data, decrypts it, and displays the website content|
Illustration of HTTPS
Client (browser) -> Server (website) TLS Handshake: Establish a secure connection using certificates and encryption keys Client -> Server (Encrypted with TLS) GET /index.html HTTP/1.1 Host: example.com Server -> Client (Encrypted with TLS) HTTP/1.1 200 OK Content-Type: text/html <!DOCTYPE html> <html> <head> <title>Example Secure Website</title> </head> <body> <p>Welcome to the example secure website!</p> </body> </html>
In this example, HTTPS and TLS work together to secure the data communication between the client and the server.
The data is encrypted, preventing eavesdropping and tampering, and the client can trust that it is communicating with the legitimate server.
An important point to note is that the URL path is encrypted in HTTPS communication, which makes it invisible to any intermediaries on the internet who might have the capability to intercept your traffic.
Simplified Illustration of an HTTPS Connection
Here’s a simplified illustration of HTTPS communication in 8 steps between a client (e.g., a web browser) and a server (e.g., a website) using a domain name:
- The client opens a connection to the server by entering the domain name in the browser’s address bar, such as “https://example.com.”
- The browser starts the DNS resolution process to obtain the server’s IP address: a. The browser first checks its DNS cache to see if it already has the IP address for the domain. b. If not, it sends a DNS query to its configured DNS resolver. c. The DNS resolver may also have the IP address cached, or it will perform a recursive query to the root, top-level domain (TLD), and authoritative DNS servers to find the IP address for the domain.
- Once the browser has the IP address, it establishes a TCP connection with the server at the destination IP address on port 443 (the default port for HTTPS).
- The browser initiates the TLS handshake process with the server to establish a secure connection: a. The client sends a ClientHello message, which includes the protocol version, supported cipher suites, and other information. b. The server responds with a ServerHello message, selecting the protocol version, cipher suite, and other parameters from the client’s list. c. The server sends its digital certificate, which includes its public key and information about the domain and issuing CA. d. The browser validates the server’s digital certificate (as described in the previous answer). e. The client and server perform a key exchange (e.g., Diffie-Hellman or ECDHE) to establish a shared secret (the premaster secret). f. Both the client and server use the premaster secret to derive the symmetric encryption keys (for data encryption and MAC) and start encrypting the communication.
- With the secure connection established, the browser sends an HTTP request to the server, such as “GET /index.html,” over the encrypted TLS channel.
- The server processes the request and sends the HTTP response (e.g., the content of the “index.html” file) over the encrypted TLS channel.
- The browser decrypts the received data, renders the content, and displays it to the user.
- The client and server continue to exchange data securely over the TLS connection until the connection is closed.
This illustration provides a high-level overview of the steps involved in HTTPS communication using a domain name.
In practice, each step may involve additional details and complexities, but the core concepts remain the same.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional