Understanding HTTPS: How Secure Communication Is Achieved Over HTTP

Preface

In recent years, companies have increasingly upgraded their websites to HTTPS to protect data in transit, but many still lack a complete understanding of how HTTPS works. This article explains the HTTPS protocol from basics to advanced concepts.

Why HTTP Is Not Secure

HTTP transmits data in clear text, exposing three major risks:

Eavesdropping: a man‑in‑the‑middle can read the content.

Tampering: a man‑in‑the‑middle can modify the messages.

Impersonation: users may think they are communicating with a legitimate site when they are actually contacting a phishing site.

HTTPS was created to address these three risks.

The Four Principles of Secure Communication

Secure communication must satisfy confidentiality, integrity, authentication, and non‑repudiation.

Confidentiality : encrypt data so eavesdroppers cannot read it.

Integrity : ensure data is not altered during transmission.

Authentication : verify the identity of the communicating parties.

Non‑repudiation : provide proof that a specific action occurred and cannot be denied.

HTTPS implements these principles step by step.

HTTPS Communication Overview

Symmetric Encryption: The Final Encryption Method

Both parties use the same secret key to encrypt and decrypt data, offering high speed and performance. However, the key must be exchanged securely; transmitting it in clear text would defeat the purpose.

Asymmetric Encryption: Solving the Secure Key Exchange Problem

Asymmetric encryption uses a public key (publicly shared) and a private key (kept secret). The public key encrypts data, and only the private key can decrypt it, enabling a secure way to transmit the symmetric key.

Digital Certificates: Establishing Trust for Public Keys

Certificates, issued by a Certificate Authority (CA), embed the server’s public key and are signed with the CA’s private key. Clients verify the certificate’s signature using the CA’s public key, which is trusted and pre‑installed in operating systems.

The verification process includes checking the certificate’s digital signature, ensuring the certificate has not been tampered with, and confirming that the domain name in the certificate matches the requested host.

Certificate Trust Chain

Certificates are organized in a hierarchy: a root CA signs an intermediate CA, which in turn signs the server’s certificate. Clients validate the chain by successively verifying each signature up to the trusted root.

Other HTTPS‑Related Issues

What is mutual authentication?

In addition to the server authenticating the client (e.g., using a USB security token), both sides can present certificates to verify each other’s identity.

What is a certificate trust chain?

The trust chain allows a limited number of root CAs to delegate signing authority to subordinate CAs, making certificate issuance scalable while preserving trust.

Conclusion

HTTPS is essentially HTTP combined with SSL/TLS, whose core function is to negotiate a secure symmetric key for subsequent communication. Understanding symmetric encryption, asymmetric encryption, digital certificates, and digital signatures clarifies why HTTPS protects data and why tools like Charles can still capture plaintext when their CA certificates are trusted.