Listen to this Post
Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP that utilizes Transport Layer Security (TLS) to encrypt communication between a client and server. Any intercepted data will be unreadable and secure from tampering and eavesdropping.
What’s the process for encrypting and decrypting data?
1. TCP Connection Establishment
The client (e.g., browser) establishes a TCP connection with the server.
2. Client Hello
The browser sends a “client hello” message containing:
- Supported cipher suites
- Highest TLS version it supports
3. Server Hello
The server responds with:
- Selected cipher suite & TLS version
- TLS certificate (containing domain, CA signature, and public key)
4. Certificate Validation
The client verifies the server’s certificate.
5. Session Key Exchange
- The client generates a session key (symmetric encryption key).
- Encrypts it with the server’s public key.
- The server decrypts it using its private key.
6. Secure Symmetric Encryption
Both parties now use the session key for fast, secure data transfer.
You Should Know:
1. Checking SSL/TLS Certificate (Linux/Windows)
Linux (OpenSSL):
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -text
**Windows (PowerShell):**
Test-NetConnection -ComputerName example.com -Port 443
#### **2. Generating a Self-Signed Certificate (For Testing)**
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
#### **3. Testing TLS Handshake with `curl`**
curl -v https://example.com --tlsv1.3
4. Forcing HTTPS with HSTS (Web Server Config)
**Apache:**
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
**Nginx:**
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
#### **5. Decrypting HTTPS Traffic (For Security Testing)**
Use **Wireshark** with **SSLKEYLOGFILE** (requires browser config):
export SSLKEYLOGFILE=~/sslkeylog.log
Then analyze in Wireshark:
`Preferences → Protocols → TLS → (Pre)-Master-Secret log filename`
### **What Undercode Say:**
HTTPS ensures secure communication, but misconfigurations can lead to vulnerabilities. Always:
– Enforce TLS 1.2+ (disable older versions).
– Use strong cipher suites (e.g., AES-GCM, ChaCha20).
– Monitor certificate expiry (openssl x509 -enddate -noout -in cert.pem).
– Implement HSTS to prevent downgrade attacks.
For penetration testers, tools like Burp Suite and SSLScan help assess HTTPS security:
sslscan example.com
**Expected Output:**
A secure, encrypted connection with verified certificates and strong cipher suites.
**Reference:**
References:
Reported By: Sahnlam How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
