HTTP & Encryption — Securing the World Wide Web

Afaan Bilal
6 min readFeb 7, 2018

--

HTTPS

The internet is an amazing place. But, the internet is so much more than what everyone considers it to be. What we call as the internet is actually the WWW — World Wide Web. The humongous collection of websites containing exabytes of data filled with information in the form of text, images, audio, video and countless other formats available to the whole wide world. This world wide web was invented by Tim Berners-Lee in 1989 using a protocol he created to communicate between two computers — the client and the server. This protocol is known as HTTP — HyperText Transfer Protocol.

The server is just a computer that has some information and the client is a computer that wants that information (on behalf of its user). So, just like in the world we know, the client sends a request to the server asking for the information it wants and the server sends the requested information back if it indeed does have it and is permitted to give it away. All this communication between the server and the client is done over the internet using the protocol (a set of rules) HTTP.

HTTP is plain text protocol. That is, all the information is sent in plain text in a human readable format.

An HTTP request can be as simple as:

GET /page.html HTTP/1.1
Host: www.example.com

The above lines, when sent by a client to a server, ask that the document /page.html be served to it from a host known as www.example.com

And, if the server has such a document, it may respond as:

HTTP/1.1 200 OK
Date: Wed, 07 Jan 2018 12:00:00 GMT
Content-Type: text/html
Content-Length: 1234
...the contents of page.html...

The above response is sent to the client with the contents of the requested file if everything goes well.

This is what the world wide web was, and in some cases still is, based on.

But, a lot has changed since 1989. The web is not just a place for storing and accessing documents like scientific research, and other such open information. A major part of our lives is now lived on the web, social media, e-commerce, healthcare, essential services and other such sensitive services also make use of the technologies that the web has brought with it. These services mostly deal with sensitive and private information, be those health details, payment information such as credit/debit card numbers, addresses, contact information, etc. This information should only be accessible to a select few individuals and no one else. But, as we already know, HTTP is a plain text protocol. Everything is open, and since the internet is giant mesh of interconnected computers, data flows between all of them openly and anyone who captures these small data packets flowing through the network can just open and read the contents as they’re in plain text.

There needed to be a way to secure this information and make it available only to the intended recipients. The answer was simple — cryptography.

Cryptography: The art of writing secrets.

We’re all familiar to the concept. Take a message and change it to a code using a technique that only you and your intended recipient know about and you can send it in any manner you like and be confident that no one else will be able to read it (if the technique is good enough).

Let’s take a simple real-world example:
A wants to send a message to B. The message must pass through C who is not trusted by either A or B. So, they must find a way to secure their message. A and B go to the market and get a box and a lock with two keys. The box and one key is kept by A while the other is given to B. A writes down the message and puts it in the box and locks it using the lock and key and the sends off the box to B. It passes through C who, even though he has the box, cannot open it as he does not have the key to the lock. This box then reaches B and he opens it with his key and reads the message. To send a message back, he repeats the same process. This is known as symmetric key encryption. “Symmetric” because the key used by both parties is same.

But, what if you had to send a message to someone you’d never met before?

Let’s take another example:
A wants to send a secret recipe to B but A and B live in different countries. They can’t meet physically so they cannot exchange keys like in the case above. The message, as above, must go through C whom they do not trust. So, what do they do?

They could send the keys to each other but they’d have to go through C. What if C keeps the key and box sent by B and then sends his own key and box to A? A won’t be able to know if this is the same box and lock as sent by B and that way, when A locks the box, C can then open it using the key he has and read the message and then close the box using the key sent by B and send the box on to B who won’t ever know that C had already read the message.

But, A and B are pretty smart. They devise a new way. Since A wants to send a message to B, B sends a special box created by their friend Z whom both A and B trust. This box has a special SEAL OF APPROVAL from Z saying that Z personally knows that this box belongs to B. This seal is such that it cannot be forged or tampered with without destroying the box itself. This box has an open lock which can be closed without a key. When A receives this box and checks and verifies the seal from Z, s/he can be sure that this is the box sent by B and not something that C sent himself. Then, A puts in the message and closes the lock. Now, the box is closed and only B can open it using the only key to the lock and read the message. The same process can be repeated by A to get a message from B.

This is known as Public Key Cryptography.
This is so called because it involves two things: The box — known as the “public key” and the key — known as they “private key”. The public key is shared with the world and the private key is kept, well, private!

So, how does this help us in securing HTTP?

HTTPS To The Rescue

This Public Key Encryption system allows two parties to communicate securely even if they’ve never met each other. And when we’re using the internet, our computer — the client, has never met the server (supposing that we’re accessing the site for the first time) and thus must use this system for securing the data. The role of Z is played by special entities called as Certificate Authorities (CAs) which issue those seals of approval called as SSL Certificates.

However, as compared to symmetric encryption, public key encryption is quite slow and does not scale well as the amount of data increases. Thus, Public Key Encryption is only used as an authentication and a key-exchange mechanism, that is, to verify the server’s identity and to exchange keys which can then be used for symmetric encryption of the data as symmetric encryption is faster and can be used with as large amounts of data as you’d want.

All this is implemented in what we call as TLS — Transport Layer Security (formerly SSL — Secure Sockets Layer).

Now, we can securely communicate over an insecure transmission medium (the internet). This type of communication is known as HTTP over TLS or simply HTTPS — HyperText Transfer Protocol Secure.

And that’s HTTPS for you — securing your important communications — be that your payment information or service accounts or social logins or anything else at all!

Thank you for reading.

Disclaimer: Although every care has been taken to ensure that all the information presented in this article is correct, no guarantees can be given.

--

--

Afaan Bilal

Senior Software Development Engineer @ Centiment. Co-Founder @ Shmooze. CEO @ Alpha Magnus Studios. Civil Engineer from NIT, Srinagar.