Understanding the Principles and Security Mechanisms of HTTPS

With the decreasing cost of HTTPS deployment, most websites now use the protocol, but many still have fundamental questions about its security.

Why is HTTPS considered secure? HTTPS encrypts data during transmission, but the encryption of the content itself uses symmetric encryption; asymmetric encryption is only used during the certificate verification phase.

HTTPS implementation principle

The overall process consists of a certificate verification stage and a data transmission stage.

Certificate verification stage

1. The browser initiates an HTTPS request. 2. The server returns its SSL/TLS certificate. 3. The client validates the certificate; if invalid, a warning is shown.

Data transmission stage

1. After a successful certificate check, the client generates a random number locally. 2. The random number is encrypted with the server’s public key and sent to the server. 3. The server decrypts the random number using its private key. 4. Both sides derive a symmetric encryption key from the random number and use it to encrypt all subsequent data.

Why is symmetric encryption used for data transmission? Asymmetric encryption is computationally expensive and unsuitable for the high‑frequency exchanges of HTTP, while only the server holds the private key, making symmetric encryption the practical choice for bulk data.

Why are CA‑issued certificates required? Without a trusted authority, anyone could create a certificate, enabling classic man‑in‑the‑middle (MITM) attacks. A CA vouches for the binding between a domain and a public key.

MITM attack process

1. The victim’s request is hijacked (e.g., DNS hijack) and redirected to the attacker. 2. The attacker presents a forged certificate. 3. The client encrypts a random number with the attacker’s public key. 4. The attacker decrypts the random number, establishes a symmetric channel with the client, and forwards the request to the legitimate server using its own symmetric channel. 5. The attacker decrypts the server’s response and re‑encrypts it for the client.

Because the client never validates the forged certificate, it cannot detect the interception.

How does a browser ensure a CA certificate’s legitimacy?

1. Verify domain name, validity period, etc. 2. Check the certificate’s issuance chain against locally stored trusted root certificates. 3. Verify the certificate has not been tampered with (via CA server). 4. Check revocation status using CRL or OCSP.

Can HTTPS prevent packet capture? The encrypted payload cannot be read by ordinary sniffers, but if a user explicitly trusts a proxy’s certificate, a MITM proxy can decrypt and re‑encrypt the traffic. Therefore, HTTPS only protects against passive eavesdropping, not active, user‑authorized interception.

What about the security of the locally generated random number? HTTPS does not guarantee the protection of the client’s random number; its safety depends on the endpoint’s overall security (antivirus, anti‑malware, browser updates, etc.).

Summary (Q&A)

Q: Why is HTTPS secure? A: It ensures confidentiality and integrity of data in transit and authenticates the server.

Q: How does the HTTPS transmission work? A: The client obtains the server’s certificate, validates it, encrypts a random number with the server’s public key, and then both sides use the derived symmetric key for data encryption.

Q: Why are certificates needed? A: To prevent MITM attacks and provide server identity verification.

Q: Can HTTPS be captured? A: Yes, if the user trusts a malicious proxy; otherwise, passive capture only sees encrypted data.

Author: leapmie Source: https://urlify.cn/zQj6f2