Introduction to HTTPS: Principles, TLS Handshake, Certificate Management, and Cipher Suites

HTTPS (Hypertext Transfer Protocol Secure) adds an SSL/TLS security layer between HTTP and TCP, providing encrypted communication and authentication.

HTTPS is required because plain HTTP transmits data in clear text, exposing it to eavesdropping, tampering, and impersonation risks.

Security is achieved through a combination of asymmetric encryption (for key exchange), symmetric encryption (for data transfer), and hash algorithms (for integrity verification). The TLS handshake negotiates the protocol version, cipher suite, and keys, using steps such as Client Hello, Server Hello, Server Certificate, Server Key Exchange (if needed), Client Key Exchange, and Change Cipher Spec.

The handshake process is illustrated with a real example of accessing https://www.baidu.com, showing the details of each message.

Certificates are digital documents that bind a public key to an identity, containing the subject, issuer, validity period, and signature. Trust is established through a certificate chain that links the server’s certificate to a trusted root CA.

Certificate revocation can be performed via Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP), allowing clients to verify that a certificate has not been compromised or expired.

A cipher suite defines the set of algorithms used in a TLS connection, including key exchange (Kx), authentication (Au), symmetric encryption (Enc), and message authentication (Mac). Modern selections favor ECDHE for key exchange and AES‑GCM for symmetric encryption due to their strong security and performance.