HTTPS provides security to HTTP. We covered HTTP in Chapter 6, Building a Simple Web Client. HTTPS secures HTTP by using TLS over TCP on port 443. TLS is a protocol that can provide security to any TCP connection.
TLS is the successor to Secure Socket Layer (SSL), an earlier protocol also used by HTTPS. TLS and SSL are compatible, and most of the information in this chapter also applies to SSL. Generally, establishing an HTTPS connection involves the client and server negotiating which protocol to use. The ideal outcome is that the client and server agree on the most secure, mutually supported protocol and cipher.
When we talk about protocol security, we are generally looking for the following three things:
- Authentication: We need a way to prevent impostors from posing as legitimate communication partners. TLS provides peer authentication methods for this reason.
- Encryption: TLS uses encryption to obfuscate transmitted data. This prevents an eavesdropper from correctly interpreting intercepted data.
- Integrity: TLS also ensures that received data has not been tampered with or otherwise forged.
HTTP is most commonly used to transmit web pages. The text on a web page is first encoded as Hypertext Markup Language (HTML). HTML provides formatting, layout, and styling to web pages. HTTP is then used to transmit the HTML, and HTTP itself is transmitted over a TCP connection.
Visually, an HTTP session is encapsulated like the following:
TLS works inside TCP to provide a secure communication channel. HTTPS is then basically the same as the HTTP protocol, but it is sent inside a TLS channel.
Visually, HTTPS is encapsulated in the following manner:
Of course, the same abstraction still applies if HTTP is used to transmit an image, video, or other data instead of HTML.
Do keep in mind that these abstractions are accurate at the conceptual level, but some details transcend layers. For example, some HTTPS headers are used to refer to security parameters of how TLS should be applied. In general, though, it is reasonable to think of TLS as securing the TCP connection used by HTTPS.
Although TLS is most commonly used for HTTPS security, TLS is also used to secure many other TCP-based protocols. The email protocol, SMTP, which we covered in Chapter 8, Making Your Program Send Email, is also commonly secured by TLS.
Before going into further detail about using TLS, it is useful to understand some necessary background information on encryption.