Thursday, 27 December 2012

So what is HTTPS?

All web users know about HTTPS but what exactly is it?

HTTPS is a way that websites can protect the transfer of web pages between the web server and browsing computer. It is fundamental in providing security on the internet.

HTTP, short for HyperText Transfer Protocol is sent across the internet in clear text.  Its purpose is to describe web pages that can be displayed by a Web Browser Client computer.  The word protocol basically means that it is like a language that both sides share and understand.  

Anyone using a packet sniffer, such as Wireshark, could see what is being sent and received.  It means that anything that is typed into a HTTP site, such as a search phrase, can be seen as it is sent to the web browser and the response could also be seen whilst in transit. 

For normal web-browsing, this isn't too much of a problem. However, this is not suitable for activities such as online banking or shopping where sensitive information needs to be passed between Web Browser and Server.

HTTPS is the same HTTP protocol  but sent across a secure communications link using something called Secure Sockets Layer or SSL for short.

Encryption requires some form of key to encrypt and decrypt messages.

It is a bit like having a key to your front door. It stops passers-by from making themselves cups of tea and watching reality TV in your house.  Anyone who has gained accessed to your front door key can potentially gain access and riffle through the underwear drawer.

Likewise, in  computer security, anyone who is able to obtain access to a normal "symmetrical" key can encrypt and decrypt  messages as they wish.  "Symmetrical" means that the same key can be used to encrypt and decrypt messages.The implications of this are that although you can send an encryption key to someone else for them to send you secret messages, there is no guarantee that it hasn't been compromised on route. Someone could intercept the key, decrypt messages, read the contents and even possibly change the message before forwarding the message on to its intended recipient.

The answer to this key distribution problem is "non-symetrical" keys, otherwise known as public key encryption as discovered by a mathematician called Clifford Cox of GCHQ.  Public Key Encryption works by having separate keys for encryption and decryption. 

The system works by publicaly releasing the encryption key and keeping the decryption key secret.  Any messages that have been encrypted using the public encryption key can only be decoded by the owner of the secret decryption key.  Anybody listening to communications wouldn't be able to decrypt and read messages as they don't have the required key.

The downside to public key encryption over normal "symmetrical" encryption is that it is fairly computationally expensive - in other words, it takes a lot of processing power to perform the mathematics that are required to encrypt and decrypt messages.   A large web-server system with thousands of users could easily grind to a halt if everything was encrypted using public key encryption.

Therefore, when a web browser connects to a HTTPS site, the browser and server perform a handshake to inform each other of supported symmetrical encryption methods. The server also informs the browser of the web server's public encryption key.   The web browser uses the public key to encrypt a normal symmetrical key and sends it to the server - the server is the only machine that is able to decrypt this key message, meaning that they can continue the communication with a less computationally expensive symmetrical encryption method - anything listening to the transfer wouldn't have been able to see the key transfer as it happened under the safety of public key encryption.

Digital Certificates are used to prove that the key has come from the server itself and not a "man in the middle" - these will be discussed in a future post.      

No comments:

Post a Comment