HTTPS IN A NUTSHELL
Posted on 28 October, 2018 by Agumba Paul
HTTPS is a common word we come across when browsing the internet ( https://pluscom.co.ke). It’s majorly at the start of a URL replacing the common URL prefix HTTP (hypertext transport protocol).What is this HTTPS? What is its use or effect on our browsing activity?
Let’s start with a story, in 1980 we had Betty, Shack and Paul – my colleagues now. Paul was always the snoopy one, always into everyone's affair. Betty and Shack (great friends) communicated through letters and each time Paul was always in the middle to get the information they were exchanging. One day Betty has this private information she wants to send to Shack. With Paul being their worry, they had to find a way to communicate without him interfering. Luckily, Betty meets Charity with a new invention, a box! "silly invention Charity. A box really?!"
The box was to be used to send the critical information. "But how do we use the box?" Here was Charity's trick;
If Shack sends the box with a single key Paul could duplicate the key and wait when the information is being send...gets the box and probably read or alter the information and lock the box again for transportation. Charity's box had two unique keys, one used only for locking the box and the other one for unlocking the box. To bypass Paul, Shack had to send Betty an empty box with the locking key and remain with the other unlocking key. When Betty receives the open box with the locking key she puts the letter and locks the box with the locking key and then sends the box to shack who is the only one with the unlocking key, genius right?
The snoopy Paul has no ability to unlock the box and thus information is transmitted safely.
Back to HTTPS
The box invention by charity is the same analogy used on HTTPS encryption.Here, the locking key is the public key while the unlocking key is the private key.
When you are browsing the web your browser sends a public key to a server you want to get information from, the server uses the public key to encrypt the information which was requested by your browser and the browser uses its hidden private key to decrypt the information sent by the server, encrypted by its own public key. And now from the above, for a complete encrypted communication between the server and your computer to occur (encrypted GET and POST Communication) interacting computers need to have both Private and public key. Getting deeper, HTTPS (Hyper Text Transport Protocol Secure) makes use of SSL (Secure Socket Layer) to encrypt the normal HTTP changing the data being transmitted to human non-readable texts(encrypted) thus preventing man in the middle attacks. SSL uses RSA algorithm which is an asymmetrical encryption
algorithm (it requires two different keys for encryption and decryption).
The RSA algorithm is complex but very interesting. Here is a simple logic:
RSA uses two large unique prime numbers let’s say ‘p’ and ‘q ‘which are not equal. When the two numbers are multiplied we get 'n' (pq=n). 'n' is the modulus for the public key and the private keys. With 'n' alone provided to us it’s very difficult for us to determine the two unique prime numbers right? For public key to be generated, choose 'e' that is relatively prime to ø(n) =(p-1)(q-1), let pub = ñ and for private key to be generated, find d which the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let pri = < d , n >
Just forget everything about the RSA algorithm....let’s leave that to the cryptographers and the certificate authorities(CA) to handle the rest.
Here our only interest is the Public key and the Private key used to encrypt(lock and unlock) the data like in the Charity story, actually, the certificate authorities generate both keys for you. But for the techy guys you can generate your own encryption keys through Openssl the only problem with that is that most systems and browsers are likely to flag your communication as insecure which is very annoying!
The SSL Certificate
Finally we have the SSL certificates. These are digital certificates offered by the certificate Authorities (CA) to certify the ownership of a public key by the named subject. This allows others to rely upon signatures on private key that corresponds to the certified public key. The CA are the trusted third parties who are trusted by both the owner of the certificate and also the other party relaying on the certificates.
The main use of HTTPS is to secure your online activities from bad guys always watching and sniffing your network, snooping into your affairs like Paul. Internet privacy and data protection should be everyone's responsibility. Don't wait until the bad guys catch up with you to get the necessary certificates for your sites or to use HTTPS everywhere on your online communication. And as said earlier, you can generate your own keys but NO ONE TRUSTS YOU on the internet. Just use the trusted certificate authorities and with these let Pluscom team handle it for you.