The Secure Lock Icon 🔒
Every day we use our web browsers like Google Chrome, Mozilla Firefox etc., to do many of our daily activities. We shop, we play, we watch videos, we play music and do many more. If you may have already noticed, for most of the websites we visit, there is a lock icon right before the website address. Have you ever wondered what this lock icon is and why it is important for the websites we visit?
Today, let’s explore the story of this lock icon and why should we worry if there is no lock icon for the websites we visit.
Hyper Text Transfer Protocol Secure (HTTPS)
When the internet was first invented back in the 1980s, a protocol with the name HyperText Transfer Protocol (HTTP) is used for the devices over the network to communicate with each other. Just like we use our spoken languages like English, French, Spanish etc., computers use HTTP to communicate over the network. This protocol is widely accepted by people all over the world and it became very popular.
But the downside of this protocol is “It is not secure”.
Any data sent over the network using HTTP can easy be sniffed by an attacker and the attacker can be able to read or modify the data. To prevent this to happen, Hyper Text Transfer Protocol Secure (HTTPS) was invented.
Let us say you want to visit a website and login to the website using your username and password. You enter your login credentials and you click on Login button. These login details should transmit to the website server over the network in order for validation and to log you into the website. If the website uses HTTP, when the login details you submit are in transit over the network, an attacker can simply sniff over the network and be able to read or modify all of your login details. But if the website uses HTTPS, the attacker cannot do this because your login details are encrypted and secured in such a way that only the website server can able to read the login details you entered.
How can HTTPS secure the Data?
Let us now get into the technical details of HTTPS and see how HTTPS can secure the communication between two devices over the network.
HTTPS works with the help of Secure Socket Layer (SSL). In the TCP/IP model (it is a network stack implemented by OS to send and receive data over the network), HTTP is an Application Layer Protocol. SSL sits in between Application Layer and Transport Layer. SSL provides the required security for HTTP in data transmission. Later people found some vulnerabilities in SSL and it was replaced by a new version called Transport Layer Security (TLS).
Let us say you want to visit a website say for example hacklido.com.
You open your browser; in the URL bar you type hacklido.com and hit enter. By default, the connection is HTTP. But in order to start the communication between your web browser and the website server, the connection is changed to HTTPS.
There is a standard procedure that the web browser and web servers follow in order to establish a HTTPS connection. This standard procedure is called HTTPS 4-way handshake.
Every website that supports HTTPS has an SSL/TLS certificate. These certificates are signed and provided by Certificate Authority (CA). In the first step, the web server sends its certificate to the client. The client verifies the certificate whether the certificate is valid and legitimate.
If the certificate is valid, the client performs the following checks.
The certificate must be signed by a trusted Certificate Authority. There are some common and popular certificate authorities that most of the clients know and trust. Some of them are: Let’s Encrypt Certificate Authority, Comodo Certificate Authority, Symantec Certificate Authority, Digicert Certificate Authority, GeoTrust Certificate Authority and many more.
The information of the website owner mentioned in the certificate must match with the server name the client requested.
If any of the above checks are not satisfied then an error message is shown to the user and HTTPS connection is not established.
If above checks are done then it means the server’s identity is verified.
- Now, the client sends a ‘client hello’ message to the server
- The server responds with a ‘server hello’ message.
- Client and server exchanges their cryptographic keys. These keys are used to encrypt and decrypt the communication data between them.
- Client sends client ‘finished’ message and server sends server ‘finished’ messages.
Finally, HTTPS 4-way handshake is finished. Now a secure communication channel is established between client and the server. The actual communication data is transmitted from now on and the data is encrypted and is secured.