Understanding HTTPS and SSL/TLS: A Comprehensive Guide to Web Security

Why HTTPS? Because HTTP is not secure! The modern internet is no longer a "pastoral era" - the "dark forest" has arrived. Online records can be easily intercepted, websites cannot be verified as authentic, and hackers can impersonate banking sites to steal sensitive information such as real names, passwords, and bank card details, threatening personal and property safety.

To achieve secure communication, four essential properties must be satisfied: confidentiality, integrity, non-repudiation, and identity authentication .

Confidentiality means data must remain private - only trusted individuals can read it. Integrity (also called consistency) ensures data is not illegally tampered with during transmission. Non-repudiation means one cannot deny actions that have already occurred. Identity authentication confirms the other party's true identity, ensuring messages reach trusted individuals rather than illegal actors.

HTTPS (Hypertext Transfer Protocol Secure) is essentially HTTP with additional security features. It uses a new protocol name "https" with default port 443, while maintaining all other HTTP characteristics. The key difference is that HTTPS runs over SSL/TLS (formerly known as Secure Sockets Layer), adding security to the communication.

SSL was invented by Netscape in 1994 (versions v2 and v3, with v1 never released due to severe flaws). In 1999, the IETF renamed SSL v3 to TLS (Transport Layer Security) version 1.0. TLS consists of several sub-protocols: record protocol, handshake protocol, alert protocol, change cipher spec protocol, and extension protocol, combining symmetric encryption, asymmetric encryption, and identity authentication.

Symmetric Encryption uses the same key for both encryption and decryption. Common algorithms include AES and ChaCha20 (RC4, DES, and 3DES are now considered insecure). AES (Advanced Encryption Standard) supports key lengths of 128, 192, or 256 bits and is the most widely used symmetric encryption algorithm.

Asymmetric Encryption uses a pair of keys: a public key that anyone can use, and a private key that must be kept secret. Either key can encrypt, but only the corresponding key can decrypt. Common algorithms include RSA (based on integer factorization) and ECC (Elliptic Curve Cryptography, based on elliptic curve discrete logarithm). ECC provides better security and performance than RSA - 160-bit ECC is equivalent to 1024-bit RSA.

Due to asymmetric encryption's slower performance, a hybrid encryption approach is used: generate a random session key, encrypt the message with symmetric encryption (for performance), then encrypt the session key with asymmetric encryption. This solves the key exchange problem while maintaining good performance.

Integrity is achieved through digest algorithms (hash functions) like MD5 and SHA-1. These generate fixed-length unique "digests" (fingerprints) of data. Since digest algorithms have no key and cannot be reversed, they provide one-way encryption. Integrity is ensured by comparing digests, typically combined with encryption in what's called HMAC (Hash-based Message Authentication Code).

Digital signatures achieve identity authentication and non-repudiation by using the private key to encrypt a digest of the original text. The recipient uses the public key to decrypt the signature and compares it with a locally computed digest. This proves the message was sent by the holder of the private key.

However, there's still the "public key trust" problem - how to verify that a public key is genuine? This is solved by CA (Certificate Authority) , a trusted third party that signs public keys with digital certificates, binding public keys to their owners' identities. Certificates include serial numbers, purposes, issuers, validity periods, and other information.

OpenSSL is a famous open-source cryptography library and toolkit supporting almost all encryption algorithms and protocols. It has become the de facto standard for implementing TLS functionality in web servers like Apache and Nginx.

Major platforms like Apple, Android, and WeChat have required HTTPS since 2017. Browsers like Chrome and Firefox mark HTTP sites as "insecure." While concerns about HTTPS include perceived slowness, cost, and complexity, modern servers and clients have sufficient computing power, and services like Let's Encrypt provide free certificates.