How HTTPS Works (...and SSL/TLS too)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay we all know that http is the protocol of choice that we use to surf the web it's the language of love between web browser and web server and we also know that when we go to a website we type in https it's secure at least we think it is what is that s really before we dive right into https we've got to understand its older brother http the hypertext transfer protocol in short this protocol is the language of love using a request response mechanism let me translate that into pure english right it's a stimulus response hey i need this oh you do here you go right this is what really defined the the heart of the world wide web and i'm really not happy with how those w's came out they look like hearts for some reason but right but one of the key points about http that is probably the most well-known port number in the world uses tcp port 80 and sends requests over those ports using the universal resource locator so what what that means is you open a web browser on your computer right here pops up and you go i want to go to www dot let's just say viato.com right hit the enter key and it will send a request message saying hello viato i would like to communicate with you could you please send me the images and the data that they that you have that is formed in a url and i know i know a lot of you are like duh i know i know this stuff yeah i know i just want to make sure that we're all on the same page because it becomes so comfortable to open a web browser and type something into that bar what is in that bar whether it be just the website or all the extra stuff after it comprises a url that is a request using http that request then goes to the server in a clear text and stateless way now you know that http runs on top of tcp that means that there's still that session that's maintained using tcp but the http protocol itself doesn't do any checking when it sends the url request it assumes the other side gets it right and the other side then responds and says here you go and assumes this side gets it now tcp is underlying all the packet transfers saying okay did you get that here's the the sim the ack all of the stuff that tcp does http just rides on top of that in a totally stateless way now i'm gonna put with exception i'm not even going to call it an exception with other mechanisms to help with that like we've all heard of cookies right cookies are web servers efforts to try and maintain some kind of state like who is that person that went to our website what did they do here what did they search for what did they request you always wonder when i go back to a website how does it know that i last searched for that book or that device right it's because it's stored typically in a cookie on your browser where it has a semblance of state but that's not part of http in itself that's an add-on right so so http is is really not the star of the show it's ssl and tls when it comes to security and a lot of stuff here so let me let me first off bring it back to the video for just a second http is great right it's it's the stimulus response i need this you got that i need this you need that right um that that's that's what drives the protocol that drives a lot of our web browsing today right https isn't necessarily a protocol in itself and that's why i say it's the this this is the real star of the show is ssl is because all of the future security topics that we talk about i'm not going to say all of them a lot of them like when you see like ftps uh imap s uh pop you know all of these secure protocols smtps like it's all the same stuff it's using ssl or i guess you could call it tls so let's start the conversation there this is a big topic that's that's why like if you get it now as we're talking about http like all the other stuff oh okay it's just gonna use that this is gonna so so that's why i added this title i did i didn't call it https web surfing i wanted this to stand out so if anybody searches for this they know exactly what what the main topic is here right ssl was created by netscape in the 1990s they they looked at http they're like this works great but we need it to be secure so if somebody sniffs this data you know it's it's scrambled it's encrypted right so so there was many versions of this and i actually talked about this in a previous video where i talked about you know there was the original ssl was kind of buggy they fixed it in ssl one you know one point one point one or something that effect and then it jumped ship they they re-branded they didn't redo they re-branded ssl as tls transport layer security it's the same thing it's just a new name that they use and that's why you hear it used interchangeably you'll see documents that say oh yeah that's using ssl right it's probably because https has an s it's not http t right so so everybody kind of says ssl but they realize that when you're looking at the actual protocol standard today we use tls and furthermore we use one of the later versions of tls uh than the original ones that came out right so so what it what it was so it was rebranded as tls but it uses digital certificates from a trusted certificate authority and negotiates the encryption and hashing for the session okay okay this is where it gets good and this is where i really i mean hang on hand i need you if you're if you're distracted if there's another browser you're checking uh the news or twitter or something hang on stop pay attention to this because it's huge and if you get this so many doors will open in the future as you're learning all the other security protocols right so you've got so we just talked about this at the very beginning you know typical http this guy sends a request this guy sends a response done right it's all clear text it's session list stateless all that kind of stuff okay so what if we wanted to use https which is really http with ssl tls on top of it right well the first thing that has to happen for that to even work at all is sometime in the past it's not like you know when your web client goes i mean sometime long ago before you get there the web server whoever runs that website goes to a trusted certificate authority what does that mean trusted it means there's not that many of them in the world relatively speaking verisign is the example i use all the time because they're one of the original trusted means that the people who create web browsers like microsoft who creates microsoft edge or google who creates chrome or all the variants out there all the people who create web browsers look at verisign and they say yes i trust certificates that are issued by that ca that's what i mean by a trusted ca that let me let me do it on the flip side that means you and i if we're like i want to build a trusted ca it's not so easy right we're not just i mean let me emphasize anybody can create a ca you can do it in a matter of minutes it's really easy using linux or windows you can become a ca but all of the web browsers of the world please please get this all of the web browsers of the world will hate you they will reject you and you've probably seen people that have created their own ca when you visit a website and instead of seeing the website you see this website is not trusted you know and there's a variety of reasons you could get that message but one of them is because it has a certificate from an untrusted ca some web browsers today won't even let the person go past that like it'll say no you can't unless they like almost like hack the registry of the computer to try and get by that that security vulnerability right so a trusted ca is a certificate authority somebody who generates digital certificates i'm going to talk about what that is in a second that all of the web browsers of the world trust so hang on how do how do they maintain that trust i mean how does verisign ensure that they you know they become and stay a trusted certificate generator well one of the ways that they do that is they validate the identity when you have this web server and you go and say hey i wanna i want a digital certificate that that will encrypt data to to viato.com right um then the the the ca is gonna be like well prove that you own viado give us a copy of your driver's license in the in america you know tell tell how can you prove that you own that domain i mean are you really villado are you like they're going to go due to their due diligence and it behooves them because if they don't if they're just like yeah and they start handing out certificates then the web browsers the people who make the web browser be like i'm not trusting that you know certificates from that anymore so right so it's it's it works out so this web presence let's again go with viato goes to certificate authority and says i need a certificate they get one because i validated my identity now this web server will install that digital certificates now there's all kinds of stuff on a digital certificate but i've boiled it down to three major pieces you have the identity which is this is who the website is this is here let's just write it up here this is viado.com right it'll be listed right there in the identity or whatever identity of that website is and it says this this is actually known as a ca signature this is the stamp of approval that this ca has has genuinely authenticated or validated the identity of viato right so so that when when this is sent to the web browser it goes oh okay i trust that signature i trust that ca now i'm going to talk more about that signature in just a second but it cannot be faked there's no there's no fake signature it doesn't work mathematically impossible or improbable we'll say right so so we'll come back to that in just a second but the last thing and probably the most significant thing for this discussion that's on that certificate is the public key what that is is half of an encryption formula anything that the public key encrypts cannot be decrypted anyway except for the private key now where's the private key i don't know somewhere locked away on that web server under like like when you install that certificate the operating system stashes it away somewhere where you you don't even know where it is right because they realize if somebody gets that private key which can't happen right if somebody gets that private key all the encryption's done they've got the other half of the formula but i want you to keep in mind it is just half of the formula now now i'm sorry that was all step one we've got the certificate okay so now let's let's get to some action right so this guy the web client goes to viado man throwing my fence here uh goes to viado and says i wanna have you know get give me your website give me an image give me whatever right well instead if this is the first start of the session viado instead of giving him the website sends this certificate to the web client and he goes oh okay great this is going to be a secure session immediately this client generates something called the session key now this is the key that's actually used to encrypt all the data between these guys in the future whoa whoa wait a second i thought you said the public key was half the encryption formula well i did okay well well how how is this this fitting into it well let me let me make sure you get another key term right here this public key is actually part of something known as asymmetric i'll abbreviate it because i can't type and or type talk and write at the same time it's asymmetric encryption that means two keys used for every transaction public and private right this key is known as symmetric encryption one key can encrypt and one key can decrypt so let's just say i have the word cow right if i encrypt the word cow with that session key well that same session key can decrypt it right so it's one key to rule them all whereas with asymmetric encryption if i encrypt the word cow with the public key the public key can't decrypt it you have to have the private key to do it right two key encryption this is brutal on the processor of a device this is much easier okay so let's put the puzzle pieces together we go to viato we get this digital certificate this guy generates a session key that's very easy on the processor not as strong as this but strong enough my goodness for a simple exchange between these these guys i mean you're talking encryption standards like aes is used nowadays and that's one of the things that i'll come back to right here ssl i mean ssl tls itself isn't the the the symmetric encryption i mean this will get upgraded as time goes on you know better and better and better methods will will be changed out so you don't have to change the whole protocol just because you want to improve your encryption standard do you get you get the idea there's so much to talk about in this okay hang on let's go back so we go to here it sends the digital digital certificate it generates the session key that'll be used to encrypt and decrypt one key right it then uses the public key you guys know where this is going right it uses the public key not not to not to encrypt the communication to encrypt the session key here's the problem we have a public network right anybody could be grabbing any of the data whatsoever on that network so how do you do encryption i mean if you send encryption keys over that then somebody potentially could do it unless you send half the encryption key you send half the encryption key to encrypt the encryption key that encrypted session key then comes back over to the web server and that's what they use to encrypt and decrypt their communication for the rest of that session my friends that is what we call https that is what we call ftps that is what we call anything that uses ssl and tls uses this method and that's why i painstakingly spend so much time hitting that with you is because if you get that and i only want to talk about it once because you can come back to this video a thousand times and know how that works right if you know how that works you know how almost all the encryption works across public networks that's how big this is okay so let me make sure that that i've hit the key points here web server sends the digital certificate session key is generated public key oh oh i was going to come back to this right okay okay so public key is used to to encrypt this send this over okay okay i mentioned at the at the uh when i talked about certificate i'm going to come back and explain how this how this uh this signature works now i'm gonna i'm gonna tell you this is this is not gonna be one of those like like critical to the process things but it's really good to know because it'll make a lot of other stuff makes sense like like if you don't understand what i'm about to tell you'll still understand the encryption part but it'll always be like they're that lingering like well but wait a sec so so i'm gonna i'm gonna put this to bed right now right what is that signature well it's a good question all of the web clients in the world i just mentioned know who these guys are okay well okay how how do they know who those guys are okay let me let me fill in that puzzle piece all of the web clients of the world like if i were to open let me write down here so i have some room if i were to open microsoft edge and dig a little bit i would see for instance verisign and i would see a little key that it's maintaining for verisign microsoft edge comes built in with the key the public key to verisign it has the public key for instance to godaddy that's another one that probably has a little more name recognition because of their marketing right um you know it has the public key these are all the public keys it's all half of the formula remember remember half the formula the public key can encrypt and it can decrypt but in the in the case that we oh man i just i just confused everything hang on let me let me explain anything that you encrypt with the public key can only be decrypted with the private key right but one thing i don't think i mentioned that is very important for that signature anything that's encrypted with the private key can be decrypted by the public it's that you know yin yang sort of thing right so so what we were talking about just a moment ago is we were sending half of an encryption formula so it could encrypt the session key right and send it over here well all of all of the web browsers of the world okay hang on let your brain catch up all the web browsers of the world have the public keys of all these trusted cas so so when this guy sends the certificate that signature is actually encrypted it's encrypted with the private key of the ca now i want to make sure you catch that i'm not saying the certificate gives you the private key i'm saying that verisign used their private key which nobody in the world has and now their business would be ruined if somebody got it but it it it has the private key at verisign and they use that to sign the certificate so when it comes over here it looks at its list of cas and it goes oh okay verisign i've got their public key can i decrypt that encrypted signature with it and see oh okay it's verisign that's right this is a genuine certificate oh man that's heavy that is heavy so so if you were hanging on by a thread with with what i was just telling you with the session key and all that kind of stuff go back watch that again then come back the the more you let it soak in and you start realizing that asymmetric encryption is that two-way thing anything encrypted with the public can be decrypted with the private anything encrypted with the private can be decrypted by the public that two-way yin-yang state is how certificate security works and how those signatures are validated it's that simple

Info

Channel: Viatto

Views: 11,191

Rating: 4.9602647 out of 5

Keywords:

Id: 10aVMoalON8

Channel Id: undefined

Length: 19min 39sec (1179 seconds)

Published: Wed Jan 20 2021