Understanding HTTPS Requests

Question : What is an HTTPS Request?

An HTTPS request is a request sent from a client (e.g., a web browser, mobile app, or another server) to a web server using the HTTPS (Hyper Text Transfer Protocol Secure) protocol. HTTPS is the secure version of HTTP, which means all communication is encrypted using TLS (Transport Layer Security).

Question : How an HTTPS Request Works?

1. Client Sends a Request

• The client (browser or app) makes a request to the server using a URL like:

•   https://example.com/api/data
  

This request may contain:

• Method (e.g., GET, POST, PUT, DELETE)

• Headers (e.g., Authorization, Content-Type)

• Body (for POST or PUT requests)

2. TLS Handshake

   • Before sending data, the client and server establish a secure connection using TLS encryption.

   • The server presents an SSL/TLS certificate, which the client verifies to ensure the connection is secure.

3. Server Processes the Request

   • The server reads the request, processes the data, and executes the required actions (e.g., retrieving data from a database).

   • It then prepares a response.

4. Server Sends the Response

   • The server responds with:

     • Status Code (e.g., 200 OK, 404 Not Found)

     • Headers (e.g., Content-Type: application/json)

     • Response Body (e.g., JSON data)

5. Client Receives and Displays Data

   The client processes the response and displays the data accordingly.

   Example of an HTTPS Request

   1. Using JavaScript (Fetch API)

    fetch("https://example.com/api/data", {
      method: "GET",
      headers: {
        "Authorization": "Bearer your_token_here"
      }
    })
      .then(response => response.json())
      .then(data => console.log(data))
      .catch(error => console.error("Error:", error));

2. Using Express.js to Handle HTTPS Requests

const express = require("express");
const https = require("https");
const fs = require("fs");

const app = express();

app.get("/", (req, res) => {
  res.send("Hello, Secure World!");
});

// Load SSL/TLS certificate and key
const options = {
  key: fs.readFileSync("server.key"),   // Private key
  cert: fs.readFileSync("server.crt"),  // SSL certificate
};

// Create an HTTPS server
https.createServer(options, app).listen(443, () => {
  console.log("HTTPS Server running on port 443");
});

One question may arise here is what is HTTPS protocol ?

HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP. It is a communication protocol used to transfer data between a web browser (or client) and a web server over a secure connection. HTTPS ensures that data is encrypted, authenticated, and protected from tampering using TLS (Transport Layer Security)

How HTTPS Works (Step-by-Step)

1. Client Requests a Secure Connection

   • The browser (or client) requests a secure connection to a server by using https:// in the URL (e.g., https://example.com).

2. Server Responds with an SSL/TLS Certificate

   • The server provides its SSL/TLS certificate, which contains:

     • The domain name (e.g., example.com).

     • The organization name (for verified certificates).

     • The public key.

     • A digital signature from a Certificate Authority (CA).

3. Client Verifies the Certificate

   • The browser checks the certificate’s authenticity using the Certificate Authority (CA).

   • If the certificate is valid, the browser and server proceed with encryption.

4. TLS Handshake & Key Exchange

   • The client and server establish an encrypted connection by exchanging cryptographic keys.

   • This ensures that all data transferred is encrypted and secure.

5. Secure Data Transfer Begins

   • Now, all communication (HTTP requests and responses) is encrypted, protecting it from hackers, man-in-the-middle (MITM) attacks, and data leaks.

Key Components of HTTPS

🔹 TLS/SSL (Transport Layer Security / Secure Sockets Layer)

• TLS is the modern version of SSL and is responsible for encrypting communication.

🔹 Public Key & Private Key (Asymmetric Encryption)

• The server has a private key and shares a public key with clients.

• The client encrypts data using the public key, and only the server can decrypt it using the private key.

🔹 Certificate Authority (CA)

• A trusted third-party organization (like Let's Encrypt, DigiCert, GoDaddy) issues SSL certificates to verify website authenticity.

HTTP vs. HTTPS (Key Differences)

One term which is consistently we can see from top to till here is “TLS” , so what is TLS?

TLS (Transport Layer Security) is a cryptographic protocol that ensures secure communication over a computer network. It is the modern and more secure version of SSL (Secure Sockets Layer). TLS is widely used to protect data transmitted over the internet, such as in HTTPS, email, messaging, and other applications.

Why is TLS Important?

TLS provides three main security features:

1. Encryption: Protects data by converting it into a format that cannot be read without a decryption key. This prevents unauthorized access (e.g., hackers cannot read your login details).

2. Authentication: Ensures that the server you are communicating with is legitimate using digital certificates issued by trusted Certificate Authorities (CAs).

3. Data Integrity: Ensures the data is not tampered with during transmission using cryptographic hashing (e.g., SHA-256).

How TLS Works (Step-by-Step Process) (TLS Handshake)

1. Client Hello (Client Initiates)

   • The client (e.g., browser) sends a "Hello" message to the server, including:

     • Supported TLS versions (e.g., TLS 1.2, TLS 1.3)

     • Supported cipher suites (encryption algorithms)

     • A random value (for key generation)

2. Server Hello (Server Responds)

   • The server replies with:

     • Chosen TLS version and cipher suite

     • Its own random value

     • SSL/TLS Certificate (contains public key & is signed by a Certificate Authority)

3. Certificate Verification

   • The client verifies the server’s TLS certificate against a trusted Certificate Authority (CA).

   • If valid, the handshake continues. If invalid, the connection is rejected.

4. Key Exchange

   • Both parties agree on a shared session key for encryption.

   • TLS 1.3 uses Ephemeral Diffie-Hellman for forward secrecy (ensures past data is safe even if keys are compromised).

5. Finished Message

   • Both client and server send a "Finished" message, encrypted using the session key.

6. Secure Communication Begins

   • All future data is encrypted and securely transmitted.

TLS Handshake Diagram

Client                            Server
   |    --- Client Hello --->       |
   |    <-- Server Hello ----       |
   |    <-- TLS Certificate --      |
   |    --- Verify Certificate -->  |
   |    --- Session Key Setup -->   |
   |    <-- Session Key Setup --    |
   |    --- Finished Message -->    |
   |    <-- Finished Message --     |
Secure Communication Established!

TLS Encryption Techniques

1. Symmetric Encryption:

   • The same key is used for both encryption and decryption.

   • Fast and used after the handshake (e.g., AES-256).

2. Asymmetric Encryption:

   • Public and private key pairs are used.

   • Used during the handshake (e.g., RSA or ECC algorithms).

Common TLS Attacks & How to Prevent Them

Key Takeaways

✅ TLS Handshake establishes a secure, encrypted connection between client & server.
✅ TLS 1.3 is faster & more secure than TLS 1.2.
✅ TLS uses asymmetric encryption for key exchange and symmetric encryption for data transfer.
✅ Every HTTPS request begins with a TLS handshake before data is exchanged securely.