How a Web Request (HTTP / HTTPS) Works?

 How a Web Request Works?

HTTPS is a secure version of the HTTP protocol used for communication over the internet. It ensures that data transmitted between a client (web browser) and a web server is secured and encrypted so that no one can intercept it or tempered it in between.

Below are the steps occurred while making a web request:

1.  Client initiates HTTPS request

The client (web browser) initiate an HTTPS request by sending a request to server using URL that start with https:// instead of http://. The 's' in https indicated that connection is secure.

2. Server Present SSL/TLS Certificate

The server respond to client by sending SSL/TLS certificate which contain the server's public key to the client. The certificate is typically issued by trusted certificate authority (CA) and includes information such as server's domain, public key, the CA digital signature and the expiration date of certificate.

3. Client Verifies SSL/TLS Certificate

The client verifies the SSL/TLS certificate to ensure that it is valid and trustworthy. It checks the certificate digital signature against the public key of the issuing CA to confirm the identity or authenticity. The client also check if the domain name in the certificate matches the domain name in the URL to prevent man-in-the-middle attacks.

4. Client generates a symmetric key

If the SSL/TLS certificate is valid, then the client generates a random symmetric key (also known as session key) to be used for encrypting and decrypting data during the session. The symmetric key is efficient for encrypting large amount of data compared to asymmetric key algorithm used in SSL/TLS certificate.

5. Client encrypts symmetric key

The client encrypts the symmetric key using the server's public key from the SSL/TLS certificate. This ensures that only the server with corresponding private key can decrypt the symmetric key and access the session data.

6. Client Send encrypted symmetric key

The client send encrypted symmetric key to the server along with information such as chosen SSL/TLS version, supported encryption algorithm and a "client hello" message.

7. Server decrypt symmetric key

The server receives the encrypted symmetric key from the client and decrypt it using its private key, which is kept securely on the server. This allows the server to obtain symmetric key and use it for subsequent communication with the client.

8. Client and server exchange encrypted data

Once the session is established, the client and server use it to encrypt and decrypt data exchanged during the session. All data transmitted between between client and server, including the HTTPS request and response is encrypted using the symmetric key to protect it from interception.

9. HTTPS session continues

The client and server continue to exchange encrypted data using the established symmetric key until the session is terminated. The symmetric key is basically discarded after the session ends and for each new session there will be new symmetric key to ensure security.

In summary, HTTPS uses SSL/TLS certificate and symmetric key encryption to secure data transmitted between a client and server over the internet. The SSL/TLS certificate verifies the server's authenticity and the symmetric key is used for encrypting and decrypting data during the session, ensuring confidentiality and integrity of the communication.