SSL/TLS

HTTPS / SSL / TLS – Complete Engineering Notes (0 → 1000)

1. What is HTTP

HTTP (HyperText Transfer Protocol) defines how browsers and servers exchange web data.
It works over port 80 and transfers information in plain text.

Because it is unencrypted, anyone between client and server (ISP, router, hacker) can read or alter the data.

Example (insecure):

POST /login
{
  "email": "user@example.com",
  "password": "password123"
}

2. What is HTTPS

HTTPS = HTTP + SSL/TLS security layer
It works over port 443 and encrypts all communication between browser and server.

Even if packets are intercepted, they appear as unreadable ciphertext.

3. OSI Layer Perspective

Layer

Protocol

7

HTTP (Application)

6.5

SSL / TLS (Security)

4

TCP (Transport)

3

IP (Network)

TLS operates between HTTP and TCP, encrypting all HTTP data before transmission.

4. SSL vs TLS

Protocol

Full Form

Status

SSL

Secure Sockets Layer

Deprecated

TLS

Transport Layer Security

Current standard

TLS is the protocol actually used in HTTPS.
The phrase “SSL certificate” is historical.

5. Core Encryption Concepts

Symmetric Encryption

  • One key is used for both encryption and decryption.

  • Very fast (e.g., AES, ChaCha20).

  • Requires both sides to already share the key securely.

Asymmetric Encryption

  • Two related keys:

    • Public key: shared openly.

    • Private key: kept secret by owner.

  • Enables secure key exchange and authentication.

  • Examples: RSA, ECC.

  • Slower than symmetric algorithms.

6. Why HTTPS Uses Both

HTTPS uses a hybrid model:

Stage

Type

Purpose

1

Asymmetric

Securely exchange the symmetric key

2

Symmetric

Encrypt all actual application data efficiently

Asymmetric encryption establishes a secure tunnel; symmetric encryption moves the data through it quickly.

7. TLS Handshake (Simplified)

Step

Description

Encryption Type

1

TCP handshake (connection setup)

2

ClientHello – browser lists supported ciphers

3

ServerHello – server sends its certificate and public key

4

Client verifies certificate authenticity

5

Client generates random symmetric session key

Symmetric key generation

6

Client encrypts session key with server’s public key and sends it

Asymmetric

7

Server decrypts with its private key

Asymmetric

8

Both sides now share the same symmetric key

Shared secret

9

All subsequent data encrypted using that key

Symmetric

Result: a secure channel between browser and server.

8. Who Generates the Symmetric Key

The client (browser) generates a random session key, encrypts it with the server’s public key, and sends it to the server.
The server decrypts it with its private key.
Each new session uses a new key, providing forward secrecy.

9. Why Asymmetric Encryption Alone Is Not Used

  • Too slow and CPU-intensive.

  • Encrypted output is large.

  • Private keys are long-term and would compromise all sessions if leaked.

  • Symmetric algorithms are thousands of times faster and hardware-accelerated.

Hence only the handshake uses asymmetric encryption; data transfer uses symmetric encryption.

10. The MITM Problem

A hacker sitting between client and server could intercept traffic and replace the server’s public key with their own.
If the client used that key, the hacker could decrypt the session key and read all traffic.

This is called a Man-in-the-Middle (MITM) attack.

11. The Defense: Certificates and Certificate Authorities

The server’s public key is delivered inside a digital certificate, which is digitally signed by a trusted Certificate Authority (CA).

A certificate contains:

  • Domain name (e.g., pms.chatweave.space)

  • Server public key

  • Validity period

  • CA’s digital signature

When the browser receives it, it:

  1. Verifies the CA’s signature using the CA’s public key (in its trust store).

  2. Checks the certificate’s domain, expiry, and chain of trust.

If valid, the connection continues.
If invalid, the browser blocks the connection.

12. Why a Hacker Cannot Modify a Certificate

The CA’s digital signature covers the entire certificate (including the public key).
Changing any bit—like replacing the key—changes the hash and invalidates the signature.
Only the CA’s private key can create a valid signature, and that private key never leaves secure CA hardware.

13. Chain of Trust

Root CA  →  Intermediate CA  →  Server Certificate

Browsers trust the root CA.
Each intermediate and server certificate must be signed by the level above.
If any link in the chain fails verification, the connection is rejected.

14. What HTTPS Encrypts

Component

Encrypted

Request method & path (POST /login)

Yes

HTTP headers (cookies, tokens)

Yes

Request body (JSON, form data, files)

Yes

Response headers

Yes

Response body (HTML, JSON, images)

Yes

Domain name

No

IP address

No

Port (443)

No

All sensitive application-level data is encrypted.
Only routing metadata (IP, port, domain name) remains visible.

15. TLS 1.3 Enhancements

  • Fewer handshake messages (faster setup).

  • Stronger cipher suites only.

  • Uses Ephemeral Diffie-Hellman (ECDHE) to derive a symmetric key without sending it.

  • Ensures Perfect Forward Secrecy.

16. Man-in-the-Middle Summary

Attack

Mitigation

Hacker replaces public key

Certificate signed by trusted CA

Fake certificate presented

Browser verifies CA signature

Wrong-domain certificate

Domain mismatch check

Attempted decryption

Computationally infeasible

Packet interception

TLS encryption hides content

17. Real-World Data Flow

Client (Browser)
  └── TCP Handshake
  └── TLS Handshake (certificate verification + key exchange)
  └── Encrypted HTTP data transfer
Server (Nginx)

All HTTP data after the handshake is transmitted as encrypted binary data.

18. HTTPS Guarantees

Property

Definition

Confidentiality

Data is encrypted so others cannot read it.

Integrity

Data cannot be modified silently.

Authentication

Server identity is verified via certificate.

19. Real Example (Encrypted Login)

Request:

POST https://pms.chatweave.space/login
{
  "email": "user@domain.com",
  "password": "SecurePass@123"
}

Over HTTPS the entire payload is encrypted into binary ciphertext.
Only the browser and the target server can decrypt it.

20. Visual Summary

1. Plain HTTP
   Browser    Server
   Data visible to anyone.

2. HTTPS
   Browser  TLS handshake  Server
   Certificate verified.
   Symmetric key exchanged.
   Encrypted HTTP data thereafter.

21. Key Takeaways

  • HTTP is plaintext; HTTPS encrypts all data.

  • TLS is the protocol providing encryption and authentication.

  • HTTPS uses asymmetric encryption for key exchange and symmetric encryption for data.

  • Certificates bind a domain to its public key.

  • CAs digitally sign certificates; browsers verify them.

  • A hacker cannot forge or alter a certificate without the CA’s private key.

  • TLS 1.3 adds stronger encryption and faster performance.

  • HTTPS ensures confidentiality, integrity, and authentication.

22. Analogy Summary

Real-World Concept

HTTPS Equivalent

Passport issued by government

Server certificate issued by CA

Public passport info

Public key

Government seal

CA digital signature

Officer verifying seal

Browser verifying CA signature

Personal private key

Server private key

Shared secret code

Symmetric session key

Private conversation

Encrypted HTTPS session

23. Final Definition

HTTPS (HyperText Transfer Protocol Secure)
is the secure version of HTTP that uses the TLS protocol to:

  1. Authenticate the server’s identity.

  2. Encrypt communication for confidentiality.

  3. Maintain data integrity against tampering.

Updated on