As part of my internship project I had to learn about HTTPS, how it works and how to use HTTPS to secure SOAP based web services written in java.
Why do we need HTTPS?
The document transfer protocol of choice for the internet, HTTP uses a plain text format for transfering data. Hence anyone who is able to intercept the communication channel(MITM attack) can view everything that is being transmitted by the sender and receiver. This is specially a problem for wireless networks where any one with a pretty basic wireless network adapter can tap into and listen to the communications channel.
This can be demonstrated using free and opensource tools like Wireshark and mitmproxy
Now lets check login to the same website with https enabled and inspect the packets:
So, HTTP by default is not suitable for sending private data. For this we need some protocol which provides data security using encryption like HTTPS
What is TLS/SSL?
The required data security/encryption can be provided by many mechanisms, but TLS/SSL has become the ubiquitous defacto standard for the Internet. SSL stands for Secure Socket Layer and TLS is Transport Layer Security. Both are more or less the same specifications with minor differences which we can generally ignore.
Basics of encryption
Broadly speaking there are two kinds of cryptographic techniques used to encrypt data in SSL: symmetric key and asymmetric key cryptography.
Now in case of asymmetric key or public key cryptography, there is a pair of keys. One is called the private key and the other is called its public counterpart or simply public key. Data encrypted with the private key can only be decrypted using the corresponding public key and that encrypted using a public key and only be decrypted using the corresponding private key. Hence, in this case the problem of sharing a secret is taken care off.
A basic overview of TLS/SSL:
At this point in time, the SSL handshake is complete and the client and server may begin exchanging application layer protocol data units (using the SSL Application Data Protocol).
Now lets look into the handshake process using wireshark:
A few words about certificates:
As described earlier the ssl protocol requires that the communicating peers verify their identity using digitally signed certificates. These certificates are generally issued by some trusted certifying authority(CA) which guarantees the identity of the senders.
The most commonly used format for exchanging these certificates is the X.509 format.
There is another type of cerificate scheme which is gaining popularity called the PGP.