# Topic covered
* SSL/TLS encryption protocol
* SSL Certificates
    * What is https and how to install SSL certificate
* What is HTTPS?
* How does HTTPS (SSL/TLS) work?
* Why does HTTPS switch to symmetric encryption during data transmission?

7.1 SSL/TLS encryption protocol

SSL stands for Secure Sockets Layer, and it refers to protocols for establishing authenticated and encrypted links between networked computers. Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, it is still common to refer to these related technologies as “SSL” or “SSL/TLS".

Although SSL was replaced by an updated protocol called TLS(Transport Layer Security) some time ago, “SSL” is still a commonly used term for this technology.

An SSL certificate (also known as a TLS or SSL/TLS certificate) is a digital document that binds the identity of a website to a cryptographic key pair consisting of a public key and a private key

7.2 SSL Certificates

https://www.ssl.com/faqs/faq-what-is-ssl/

If the SSL/TLS certificate itself is signed by a publicly trusted certificate authority (CA), such as SSL.com, the certificate will be implicitly trusted by client software such as web browsers and operating systems.

Publicly trusted CAs have been approved by major software suppliers to validate identities that will be trusted on their platforms. A public CA’s validation and certificate issuance procedures are subject to regular, rigorous audits to maintain this trusted status.

What is https and how to install SSL certificate

7.3 What is HTTPS?

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP. HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure.

This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider. Web browsers take HTTPS seriously, Google Chrome and other browsers flag all non-HTTPS websites as not secure.

HTTP vs HTTPS

https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/

Technically speaking, HTTPS is not a separate protocol from HTTP. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://

https://www.geeksforgeeks.org/difference-between-http-and-https/

• HTTP is considered to be insecure and HTTPS is secure
• HTTP uses port number 80 for communication and HTTPS uses 443
• HTTP Works at Application Layer and HTTPS works at Transport Layer
• HTTP speed is faster than HTTPS and HTTPS speed is slower than HTTP
• HTTP does not improve search ranking while HTTPS improves search ranking.

7.4 How does HTTPS (SSL/TLS) work?

https://blog.bytebytego.com/p/how-does-https-work-episode-6

https://www.cloudflare.com/learning/ssl/how-does-ssl-work/

TCP Handshake

1. The client (browser) and the server establish a TCP connection.

Certificate Check

1. The client sends a “client hello” to the server.
2. The server then sends the SSL certificate to the client. The certificate contains the public key, hostname, expiry dates, etc. The client validates the certificate.
3. After validating the SSL certificate, the client generates a session key and encrypts it using the public key.

Key Exchange

1. Client sends the session key to server
2. The server receives the encrypted session key and decrypts it with the private key.

Data Transmission

1. Now that both the client and the server hold the same session key (symmetric encryption), the encrypted data is transmitted in a secure bi-directional channel.

7.5 Why does HTTPS switch to symmetric encryption during data transmission?

There are two main reasons:

Security: The asymmetric encryption goes only one way. This means that if the server tries to send the encrypted data back to the client, anyone can decrypt the data using the public key.

Server resources: The asymmetric encryption adds quite a lot of mathematical overhead. It is not suitable for data transmissions in long sessions.