Tuesday, 22 May 2012

https:// what it is ?

Https is way of securing http(web) traffic. There are many versions of establishing encrypted http connection but we will discuss here only the simplest one, used by most of the web sites running on https. Examples of these can by encrypted.google.com , gmail.com etc. Whenever there is an https (encrypted connection) you will notice https:// in the address bar of the browser.


There are two main purpose of generally used https:


  1.  Privacy: Providing encrypted traffic between client application (web browser) and the server application (web server) so that  no one can understand the content if he/she intercepts in-between.
  2. Authenticity: Guaranteeing the user that he/she is  connected with the genuine web server (no the fake one) .  




Lets understand how is this achieved in web browser-to-website communication.


Every well know web applications/web sites/ email applications get a SSL certificates from well known Certificate Authorities(CA) These certificate authorities are companies who issue Certificates after verifying the presented identity of the website's company. This information may include the address,emails,national id cards,phone no and other information of the site owner. In other words Certificate authorities certify that the web site is valid/genuine and its identity is verified.


There are many well known (trusted) Certificate Authorities (CA) like VeriSign Inc, DigiNotar, thawte, Inc etc. All web-browser come shipped with the certificates of these CAs.


No lets see what happens when web-browser request a https enabled website e.g gmail.com:
  1.  Client web browser send request to gmail.com on plain http.
  2. gmail.com replied with the its ssl-certificate and ask for secure connection (https).
  3.  Client web browser checks whether the issuer of this certificate exists in my list of trusted CAs.
  4.  If issuer is there , https connection established otherwise user is presented with the security warning (firefox).




Once the https connection is established, all the traffic from client (browser) to server (website) is encrypted and cannot be read/understood if intercepted in between. And user has guarantee that he/she is connected with the genuine website (no fake).


PS: You can check the list of CAs in your browser, in firefox , go to edit->Prefrences or tools->Prefrences  then Advanced->Encryption->View Certificates there you can see the list of trusted Certificates and Certificate Authorities.

No comments:

Post a Comment