Before we hit https we need to understand http.
So http is a stateless protocol. By stateless we mean its commands are executed independently without any knowledge of the commands before it.
All the webpages are written in a special language called Hyper text markup language (HTML). HTTP transfers these files between client and server. Http is TCP based and sends the following messages to fetch and deliver webpages.
- GET requests a specific resource in its entirety
- HEAD requests a specific resource without the body content
- POST adds content, messages, or data to a new page under an existing web resource
- PUT directly modifies an existing web resource or creates a new URI if need be
- DELETE gets rid of a specified resource
- TRACE shows users any changes or additions made to a web resource
- OPTIONS shows users which HTTP methods are available for a specific URL
- CONNECT converts the request connection to a transparent TCP/IP tunnel
- PATCH partially modifies a web resource
The major flaw with http is all the data is transferred in clear text which is major security risk. To solve this enter HTTPS.
HTTPS takes the well-known and understood HTTP protocol, and simply layers a SSL/TLS (hereafter referred to simply as “SSL”) encryption layer on top of it. Servers and clients still speak exactly the same HTTP to each other, but over a secure SSL connection that encrypts and de-crypts their requests and responses.
In step one, the user request website on his browser.
The browser requests the DNS server to fetch this website. The DNS then queries the FDQN and resolves its to an ip address. The server with the resolved IP address responds back with the hello message. This hello message contains a SSL Certificate.
The SSL certificate is the server’s way of saying to client that.
I am who you think i am and you can even verify this with my certificate.
The client browser will read this certificate and see if it trust the CA that signed the Web servers certificate. If the browser does trust the CA then the client verifies the certificate with the CA.
Once the trust has been established the browser sends an encryption key to the web server which the browser has encrypted with the public key of the web server.
After receiving the key, the web browser will de-crypt the key using its own private key and will perform symmetric encryption for the date exchange between the client browser and web server.