What is HTTPS handshake?

Title HTTPS Handshake: The Secret to Secure Online Communication

SEO Keywords: HTTPS, SSL/TLS, online security, encryption, handshake protocol

Intro

When you visit a website starting with https://, your browser and the website's server engage in a crucial process called the HTTPS handshake. This process ensures that your data remains confidential and tamper-proof during transmission. But what happens behind the scenes? In this 10-minute read, we'll dive into the world of SSL/TLS (Secure Sockets Layer/Transport Layer Security) to understand how the HTTPS handshake keeps your online interactions secure.

Main Blog Content

The HTTPS handshake is a negotiation process between your browser and the website's server that takes place every time you visit an HTTPS-protected site. The goal is to establish a trusted connection, verifying each party's identity and ensuring that the communication remains encrypted.

Here's a step-by-step breakdown of the process:

1. Client Hello: Your browser initiates the handshake by sending a Client Hello message to the server, which includes:
   • A random session ID (to prevent replay attacks)
   • Supported SSL/TLS versions
   • Cipher suite preferences (e.g., AES-256-CBC or ChaCha20-Poly1305)
2. Server Hello: The server responds with a Server Hello message, containing:
   • Its own supported SSL/TLS version(s)
   • A chosen cipher suite (based on your browser's preferences)
   • A random session ID (to match the one sent by your browser)
3. Certificate: The server sends its SSL/TLS certificate, which includes:
   • The server's identity (domain name and/or organization information)
   • Public key
   • Digital signature (generated using a private key)
4. Verify Certificate: Your browser verifies the server's certificate by checking:
   • Whether it was issued by a trusted Certificate Authority (CA)
   • Whether the certificate is valid for the server's domain name
5. Pre-Master Secret: Your browser generates a random Pre-Master Secret and sends it to the server, which also generates its own.
6. Master Secret: The client and server use their respective Pre-Master Secrets to generate a shared Master Secret. This is done using a key agreement protocol like Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH).
7. Encrypted Communication: Both parties use the Master Secret to encrypt and decrypt all subsequent communication, ensuring that only authorized parties can access the data.

Optional ASCII Diagram

Here's a simplified illustration of the HTTPS handshake:

          +---------------+
          |  Client    |
          +---------------+
                  |
                  | (1) Client Hello
                  v
          +---------------+
          |  Server     |
          +---------------+
                  |
                  | (2) Server Hello
                  v
          +---------------+
          |  Certificate  |
          +---------------+
                  |
                  | (3) Verify Certificate
                  v
          +---------------+
          |  Pre-Master Secret |
          +---------------+
                  |
                  | (4) Master Secret
                  v
          +---------------+
          |  Encrypted Communication |
          +---------------+

TL;DR

In summary, the HTTPS handshake is a crucial process that establishes a secure connection between your browser and an HTTPS-protected website. It involves:

• Client and server exchanging random session IDs and supported SSL/TLS versions
• Server sending its certificate for verification
• Generating a shared Master Secret using Pre-Master Secrets
• Encrypting communication using the Master Secret

This handshake ensures that your online interactions remain confidential, tamper-proof, and protected from eavesdropping and man-in-the-middle attacks.