Http vs Https

Step-by-Step Guide: How HTTPS Works Internally

Here is a clean, step-by-step tutorial on how a secure HTTPS connection is established and maintained.

Step 1: The TCP Handshake (Layer 4 Connection)

Before any security layers or data can be sent, your browser must establish a raw network connection with the server.

• Action: The client and server perform a standard TCP 3-Way Handshake (SYN, SYN-ACK, ACK).

• Port: This connection is opened on port 443 (the standard port for HTTPS).

Step 2: The TLS/SSL Handshake (Security Setup)

Once the connection is physically open, the browser and server must negotiate their encryption settings. This happens through the TLS Handshake:

[ Client ]                                     [ Server ]

    |  ------ ClientHello (Cipher list) ----->     |

    |  <----- ServerHello + SSL Certificate --     |

    |  (Verifies Certificate)                      |

    |  ------ Key Exchange Data ------------->     |

    |  <----- Handshake Finished -------------     |

1. ClientHello: Your browser sends a message listing its supported cryptographic algorithms (Cipher Suites) and its TLS version.

2. ServerHello: The server responds by selecting the strongest cipher suite they both support and sends back its SSL Certificate.

3. Verification: The browser checks the certificate against built-in Certificate Authorities (CAs) to ensure the website is legitimate and matches the domain name.

Step 3: Key Exchange (The Hybrid Model)

To encrypt data efficiently, the browser and server must agree on a shared secret key without an eavesdropper stealing it.

1. The Secret: The browser generates a unique, temporary string of random data (called a pre-master secret).

2. The Asymmetric Lock: The browser uses the server's Public Key (found inside the verified SSL certificate) to encrypt this secret. Only the server’s matching Private Key can decrypt it.

3. Transmission: The encrypted secret is sent to the server. The server decrypts it using its Private Key.

4. Symmetric Key Creation: Now, both the browser and the server have the exact same secret. They use it to generate matching Symmetric Session Keys (like AES keys).

Step 4: Encrypted Data Transfer

The computationally heavy asymmetric cryptography is now finished. From this point forward, the browser and server use the shared symmetric session keys to encrypt and decrypt all data.

• GET Request Encryption: When you request a webpage, your browser takes the full raw HTTP GET request and passes it through the symmetric encryption algorithm.

• The Transit: The request travels across the internet as unreadable ciphertext.

• The Server Read: The server receives the ciphertext, decrypts it using its matching session key, processes the GET request, encrypts the webpage response, and sends it back.

Verification: How to inspect this in your browser

You can view this protocol actively working on any website right now:

1. Open your browser's Developer Tools (Press F12 or Ctrl + Shift + I).

2. Go to the Security tab (in Chrome/Edge) or network tabs.

3. Look under Connection to see the specific encryption algorithms used for your session (e.g., TLS 1.3, AES_128_GCM, ECDHE_RSA).

If you'd like to explore this further, let me know if you want to look at a raw code example of setting up an HTTPS server or dive deeper into a specific cipher suite algorithm.