Imagine sending your data in a sealed envelope versus a postcard that anyone can read. Nowadays cyber attacks methods keep evolving and are very sophisticated.<\/p>\n\n\n\n
HTTPS too has equally evolved from being a nice-to-have feature to an absolute necessity for every website or web application.<\/p>\n\n\n\n
What is HTTPS?<\/h2>\n\n\n\nThe Basics<\/h3>\n\n\n\n
HTTPS stands for Hypertext Transfer Protocol Secure<\/strong>, and it’s the secure version of HTTP<\/strong> – the protocol that powers the World Wide Web.<\/p>\n\n\n\n Think of HTTP<\/strong> as the language browsers and servers use to communicate, while HTTPS<\/strong> is that same language but with a encryption layer wrapped around it.<\/p>\n\n\n\n HTTP<\/strong> transmits data in plain text, making it readable to anyone who intercepts it, while HTTPS<\/strong> encrypts all communication, turning readable information into gibberish code that only the intended recipient can decode and understand.<\/p>\n\n\n\n HTTP<\/strong> vs HTTPS<\/strong> data security comparison<\/p>\n\n\n\n HTTPS<\/strong> provides three critical security features:<\/p>\n\n\n\n All data transmitted between your browser and the website is encrypted using advanced algorithms. If someone intercepts the communication, they’ll see nothing but random characters.<\/p>\n\n\n\n HTTPS ensures you’re actually communicating with the website you intended to visit, not an dummy fraud website. This is achieved through digital certificates issued by various trusted Certificate Authorities (CAs)<\/strong>.<\/p>\n\n\n\n The protocol guarantees that the information remains untampered during transmission. If someone tries to modify the data, HTTPS<\/strong> will detect it immediately.<\/p>\n\n\n\n HTTPS<\/strong> relies on Transport Layer Security (TLS)<\/strong>, which is the modern successor to Secure Sockets Layer (SSL)<\/strong>. While these terms are often used interchangeably, TLS<\/strong> is the current standard that actually works behind HTTPS<\/strong>security.<\/p>\n\n\n\n The protocol uses a sophisticated combination of symmetric and asymmetric encryption<\/em>:<\/p>\n\n\n\n The core of HTTPS lies Public Key Infrastructure (PKI)<\/strong>, a framework that manages digital certificates and encryption keys. PKI<\/strong> involves several key players:<\/p>\n\n\n\n PKI certificate chain of trust structure<\/strong><\/p>\n\n\n\n The HTTPS Handshake Process: Step by Step<\/strong>The SSL\/TLS<\/strong> handshake is a very important process that establishes a secure connection between your browser and a website. Let’s break down exactly what happens:<\/p>\n\n\n\n HTTPS SSL\/TLS handshake process flow diagram<\/strong><\/p>\n\n\n\n When you type “https:\/\/” into your browser, it sends a ClientHello<\/em> message to the server containing:<\/p>\n\n\n\n The server responds with a ServerHello<\/em> message that includes:<\/p>\n\n\n\n Your browser performs several critical checks:<\/p>\n\n\n\n If the certificate is valid, the browser:<\/p>\n\n\n\n Both the client and server use the exchanged information to create identical session keys for symmetric encryption.<\/p>\n\n\n\n From this point forward, all communication is encrypted using the shared session keys.<\/p>\n\n\n\n Some useful terminal commands for inspecting HTTPS certificates:<\/p>\n\n\n\n Using OpenSSL to view certificate details:<\/strong><\/p>\n\n\n\n Using curl to test HTTPS connections:<\/strong><\/p>\n\n\n\n Using ![\"HTTP\u00a0vs\u00a0HTTPS\u00a0data](\"https:\/\/codebounce.debojyotichatterjee.com\/wp-content\/uploads\/2025\/09\/HTTPvsHTTPS.excalidraw-1024x506.png\")
<\/figure>\n\n\n\nThree Pillars of HTTPS Security<\/h2>\n\n\n\n
1. Encryption (Confidentiality)<\/h3>\n\n\n\n
2. Authentication<\/h3>\n\n\n\n
3. Data Integrity<\/h3>\n\n\n\n
Deep Dive To The Technical Foundation<\/h2>\n\n\n\n
The Role of SSL\/TLS Protocols<\/h3>\n\n\n\n
\n
The Public Key Infrastructure (PKI)<\/h2>\n\n\n\n
\n
![\"PKI](\"https:\/\/codebounce.debojyotichatterjee.com\/wp-content\/uploads\/2025\/09\/PKI_infra.excalidraw-1024x513.png\")
<\/figure>\n\n\n\n![\"SSL-TLS](\"https:\/\/codebounce.debojyotichatterjee.com\/wp-content\/uploads\/2025\/09\/SSLHandshake-Proces.excalidraw-1024x513.png\")
<\/figure>\n\n\n\nPhase 1: Client Hello<\/h3>\n\n\n\n
\n
Phase 2: Server Response<\/h3>\n\n\n\n
\n
Phase 3: Certificate Verification<\/h3>\n\n\n\n
\n
Phase 4: Key Exchange<\/h3>\n\n\n\n
\n
Phase 5: Session Key Creation<\/h3>\n\n\n\n
Phase 6: Secure Communication Begins<\/h3>\n\n\n\n
Examples and Commands<\/h2>\n\n\n\n
Checking HTTPS Certificate Information<\/h3>\n\n\n\n
openssl s_client -showcerts -connect example.com:443\n<\/code><\/pre>\n\n\n\nCommand\/Option<\/strong><\/th> Explanation<\/strong><\/th><\/tr><\/thead> openssl<\/code><\/td>This is the command-line tool for using the OpenSSL library, which provides various cryptographic functions.<\/td><\/tr> s_client<\/code><\/td>This option specifies that you want to use the SSL\/TLS client functionality to connect to a server.<\/td><\/tr> -showcerts<\/code><\/td>This flag tells OpenSSL to display the entire certificate chain sent by the server during the SSL\/TLS handshake.<\/td><\/tr> -connect<\/code><\/td>This option is used to specify the server and port to connect to.<\/td><\/tr> example.com:443<\/code><\/td>This is the target server (in this case, example.com<\/code>) and the port number (443<\/code>), which is the standard port for HTTPS connections.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\ncurl -vvI <https:\/\/example.com>\n<\/code><\/pre>\n\n\n\nCommand\/Option<\/strong><\/th> Explanation<\/strong><\/th><\/tr><\/thead> curl<\/code><\/td>This is a command-line tool used for transferring data with URLs, supporting various protocols including HTTP and HTTPS.<\/td><\/tr> -vv<\/code><\/td>This option enables verbose output, providing detailed information about the request and response, including headers and connection details. The -v<\/code> flag can be used once for basic verbosity, and using it twice (-vv<\/code>) increases the level of detail.<\/td><\/tr>-I<\/code><\/td>This flag tells curl<\/code> to fetch only the HTTP headers of the response, rather than the full content of the page. This is useful for checking server responses without downloading the entire page.<\/td><\/tr>https:\/\/example.com<\/code><\/td>This is the target URL you want to connect to, using the HTTPS protocol. Replace example.com<\/code> with the actual domain you wish to query.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nnmap<\/code> to scan SSL certificates:<\/p>\n\n\n\nnmap -p 443 --script ssl-cert example.com\n<\/code><\/pre>\n\n\n\nCommand\/Option<\/strong><\/th> Explanation<\/strong><\/th><\/tr><\/thead> nmap<\/code><\/td>This is a network scanning tool used to discover hosts and services on a computer network. It can be used for security auditing and network inventory.<\/td><\/tr> -p 443<\/code><\/td>This option specifies the port to scan. In this case, it is port 443<\/code>, which is the standard port for HTTPS traffic.<\/td><\/tr>--script ssl-cert<\/code><\/td>This flag tells Nmap to use the ssl-cert<\/code> script, which retrieves and displays the SSL\/TLS certificate information from the specified port.<\/td><\/tr>example.com<\/code><\/td>This is the target domain you want to scan. Replace example.com<\/code> with the actual domain you wish to query.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nGenerating SSL Certificates<\/h1>\n\n\n\n
Creating a self-signed certificate for testing:<\/h3>\n\n\n\n
# Generate private key\nopenssl genrsa -des3 -out server.key 4096\n\n# Create certificate signing request\nopenssl req -new -key server.key -out server.csr\n\n# Generate self-signed certificate\nopenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt\n<\/code><\/pre>\n\n\n\nCommand\/Option<\/strong><\/th> Explanation<\/strong><\/th><\/tr><\/thead> openssl genrsa<\/code><\/td>Command to generate an RSA private key.<\/td><\/tr> -des3<\/code><\/td>Encrypts the private key using Triple DES.<\/td><\/tr> -out server.key<\/code><\/td>Specifies the output file for the private key.<\/td><\/tr> 4096<\/code><\/td>Specifies the size of the key in bits (4096 bits).<\/td><\/tr> openssl req<\/code><\/td>Command to create a certificate signing request (CSR).<\/td><\/tr> -new<\/code><\/td>Indicates that a new CSR is being created.<\/td><\/tr> -key server.key<\/code><\/td>Specifies the private key to use for the CSR.<\/td><\/tr> -out server.csr<\/code><\/td>Specifies the output file for the CSR.<\/td><\/tr> openssl x509<\/code><\/td>Command to create or manipulate X.509 certificates.<\/td><\/tr> -req<\/code><\/td>Indicates that the input is a CSR.<\/td><\/tr> -days 365<\/code><\/td>Specifies the validity period of the certificate in days (365 days).<\/td><\/tr> -in server.csr<\/code><\/td>Specifies the input file for the CSR.<\/td><\/tr> -signkey server.key<\/code><\/td>Specifies the private key to sign the certificate.<\/td><\/tr> -out server.crt<\/code><\/td>Specifies the output file for the self-signed certificate.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Testing HTTPS Implementation<\/h2>\n\n\n\n
Verify certificate installation:<\/h3>\n\n\n\n
# Check certificate expiration\nopenssl x509 -in certificate.crt -text -noout\n\n# Test SSL configuration\ncurl -I <https:\/\/yourdomain.com>\n<\/code><\/pre>\n\n\n\nCommand\/Option<\/strong><\/th> Explanation<\/strong><\/th><\/tr><\/thead> openssl x509<\/code><\/td>Command to display or manipulate X.509 certificates.<\/td><\/tr> -in certificate.crt<\/code><\/td>Specifies the input file for the certificate to check.<\/td><\/tr> -text<\/code><\/td>Outputs the certificate in a human-readable format.<\/td><\/tr> -noout<\/code><\/td>Prevents the output of the encoded version of the certificate.<\/td><\/tr> curl -I<\/code><\/td>Command to fetch HTTP headers from a URL.<\/td><\/tr> https:\/\/yourdomain.com<\/code><\/td>The URL to test the SSL configuration for the specified domain.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n HTTPS Benefits and Importance<\/h2>\n\n\n\n
Security Advantages<\/h3>\n\n\n\n
\n