Understanding HTTPS: Why It Is Secure and How It Works

Before HTTPS, all requests were sent in plaintext, making them vulnerable to eavesdropping and packet sniffing; encryption—both symmetric and asymmetric—protects data during transmission.

1. Why HTTPS is needed – HTTPS encrypts communication to prevent information leakage.

2. Symmetric encryption – Uses the same key for encryption and decryption, but without a secure way to share the key it is vulnerable.

3. Asymmetric encryption – Uses a public‑private key pair; the public key can be shared, while only the holder of the private key can decrypt, yet pure asymmetric encryption alone is also insufficient.

4. Key transmission process

HTTPS combines symmetric encryption for data and asymmetric encryption to securely exchange the symmetric key (key A), ensuring the key does not fall into attackers' hands.

5. Why HTTPS is reliable

It solves three problems: encrypted communication prevents data reconstruction; it blocks man‑in‑the‑middle attacks by using CA‑issued certificates; and certificate verification ensures the server’s authenticity.

Certificates are issued by trusted CAs, whose public keys are embedded in operating systems and browsers, guaranteeing that only certificates signed by a legitimate CA are accepted.

6. Role of keys

Each key (symmetric key A, server’s private/public keys, CA’s keys) has a specific function in establishing a secure channel, as illustrated in the final diagram.

Reference: "Web Security 3 – In‑Depth HTTPS Principles" (bilibili video).