HTTPS and how it protects your web browsing.

What is HTTPS and why do we need it?

We all know HTTPS and the importance it has today when it comes to browsing. It is very important if we want to avoid data leaks. When entering a website we can log in, send and receive information, data and, ultimately, our privacy and security depends on that connection. If we do this through HTTP, a possible intruder could access the information. For example, if we are on a public Wi-Fi network, where anyone could enter.

That’s where HTTPS comes into play. The goal is to encrypt that information we send. In this way, it travels safely through the network without possible intruders being able to intercept the information. We can say that it goes from point to point without a third party being able to intercept it. A way to hide all the data that we exchange on the network. The HTTPS protocol is mainly needed for three reasons, privacy, integrity, and identification. We are going to use as an example, sending a message so that you can easily understand it.


When our equipment sends a message from the web browser to the web server where we are connecting, if the message is not protected, it can be captured by someone who is listening to the communication channel, such as, for example, in a Wi-Fi network. Fi. This message can be captured to spy on absolutely all traffic. For example, if we browse a web page and enter a password, it can be captured.

When a closed padlock appears in the web address bar, where we enter the address of the website we want to go to, it means that communication with the web server is carried out securely, with point-to-point encryption. The fact that the “padlock” appears does not mean that the website is secure, simply that the communication channel with said website is.


When our team sends a message from the web browser to the web server where we are connecting, this message can be captured and modified on the fly through the communication channel, in order to change the information in it. Once modified, it is sent to the legitimate recipient already modified, and it will not be possible to know if that message has been modified or not. These types of attacks are the popular “man in the middle”.

For this reason, integrity in communications is essential. Integrity means that if the message is modified, the recipient will know it, and will deny the connection. Therefore, with integrity, it can be guaranteed that a message cannot be modified (without the recipient’s knowledge) and reaches its recipient exactly as it was sent.


The identification means that I can verify who sent the message by using a digital signature, and when we browse a web page, it means that the web page we are on is authentic. All this is achieved thanks to the HTTPS protocol, which through SSL certificates, guarantees that you are connected to the right place. The SSL certificate that the web browser shows us is valid and has been issued by a legitimate certificate authority.

General HTTPS Operation

For the HTTPS protocol to work, you need a way to be able to provide privacy, integrity, and identification on websites. The way to provide this is called encryption or encryption.

There are mainly two types of encryption algorithms, the symmetric and asymmetric key algorithm.

The symmetric key algorithm, only uses a single key to encrypt and decrypt messages, its operation is as follows:

Before sending the message, the browser encrypts the message to be sent, once it is sent, even if it is intercepted, if it does not have the decryption key it will not be able to read or modify the message, therefore, the only one who can read the message is the recipient that has the decryption key, which is the same as the encryption key. If someone tried to open the message, they would only see a string of text that doesn’t make any sense as it was encrypted. However, the main problem with the symmetric key algorithm is that it is very difficult to share the shared key.

The asymmetric key algorithm uses two keys, one private and one public. Its operation is as follows:

The asymmetric algorithm uses one key that is public and the other is private. They are paired and work together. The public key can be shared with anyone, which is why it is public. When someone sends a message, they encrypt the message using the recipient’s public key, and when the message is received, they use their private key that only they have to decrypt the message. Only the private key can open the public key’s encrypted message.

This type of public key algorithm is not only valid for privacy, but also for identifying the sender of the message.

What is a Certification Authority (CA)?

A Certificate Authority (CA) is a third-party organization, which has 3 main goals:

  • Issue certificates.
  • Confirm the identity of the certificate holder.
  • Provide proof that the certificate is valid.

To become a CA, there are security requirements and audits that must be passed. You must prove that you are trustworthy to be accepted into a “root store”. A “root store” is a database of trusted CAs. For example, operating systems and companies like Apple, Windows, and Mozilla have their own “root stores” that they pre-install on their computers.

What certificates are there?

There are basically three types of certificates issued by certification authorities:

Domain validated: This certificate only verifies the domain name.

Organization validated: This certificate requires manual validation and verification from the organization behind the certificate.

Extended validation: This certificate requires exhaustive verification of the business for which it will be issued.

When a certificate is valid, a secure badge is displayed in the browser bar. The certificates can also show the name of the company for which they are valid.

How are certificates validated?

When a CA issues a certificate, it signs it with its root certificate that comes pre-installed in the root store that we have on our computer or browser. We have to take into account that normally, most of the time, it is an intermediate certificate signed with a root certificate. This is so because in case the root certificate is compromised, it is easier to revoke the intermediate certificates, because the root certificates are installed on each device.

To validate a certificate, the process is as follows:

  • The browser connects to a web page using the HTTPS protocol and downloads the certificate.
  • The certificate that is downloaded is not a root certificate.
  • The browser downloads the certificate that was used to sign the certificate on the web page.
  • But this certificate is not yet the root certificate.
  • The browser then looks again for the certificate that signed the intermediate certificate that was just downloaded.
  • And once it finds it and validates it, the entire certificate chain is trusted, and therefore, the web page’s certificate is also trusted.

Related Articles


Your email address will not be published. Required fields are marked *