Listen to this Post
When you enter your credit card details or login credentials, HTTPS encryption acts as your digital bodyguard against cyber threats. Here’s how it works:
1️⃣ Your Browser Requests a Secure Connection
→ The browser initiates an HTTPS request to the server.
2️⃣ The Web Server Responds with a Public Key
→ The server sends its SSL/TLS certificate containing a public key.
3️⃣ Your Browser Creates a Secret Session Key
→ The browser generates a symmetric session key, encrypted with the server’s public key.
4️⃣ The Encrypted Session Key Is Sent to the Server
→ The server decrypts it using its private key.
5️⃣ Symmetric Encryption Takes Over
→ The session key is now used for fast, secure data exchange.
Asymmetric encryption (public-private key) secures the initial handshake, while symmetric encryption ensures efficient protection during the session.
You Should Know:
1. Verify HTTPS Manually (Linux/Windows/Mac)
- Check the Padlock Icon: Ensure the URL starts with `https://` and has a padlock symbol.
- Inspect Certificate (Browser):
- Chrome/Firefox: Click the padlock > Connection is Secure > Certificate is Valid.
- Command Line (Linux):
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates
2. Testing HTTPS with cURL
curl -I https://example.com
– If the response includes HTTP/2 200, the site supports HTTPS.
### **3. Forcing HTTPS with HSTS (Strict-Transport-Security)**
- Check if a site enforces HTTPS:
curl -I https://example.com | grep -i Strict-Transport-Security
### **4. Decoding SSL/TLS Certificates**
openssl x509 -in certificate.crt -text -noout
### **5. Simulating HTTPS Handshake with OpenSSL**
openssl s_client -connect example.com:443 -tls1_2
### **6. Windows: Check HTTPS via PowerShell**
Invoke-WebRequest -Uri "https://example.com"
### **7. Detecting Weak Ciphers (Nmap)**
nmap --script ssl-enum-ciphers -p 443 example.com
## **What Undercode Say:**
HTTPS is not optional—it’s a necessity for secure web communication. Without it, data travels in plaintext, vulnerable to interception. Always verify certificates, enforce HSTS, and test configurations regularly. For developers, implement HTTP Strict Transport Security (HSTS) and Certificate Transparency to prevent man-in-the-middle attacks.
### **Additional Commands:**
- Check SSL Expiry:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate
- Test TLS 1.3 Support:
openssl s_client -connect example.com:443 -tls1_3
- Disable Weak Protocols (Server Hardening):
ssl_protocols TLSv1.2 TLSv1.3;
## **Expected Output:**
- A secure, encrypted session with verified certificates.
- No mixed-content warnings in browsers.
- Successful handshake confirmation via
openssl s_client.
🔗 **Further Reading:**
References:
Reported By: Alexrweyemamu %F0%9D%97%98%F0%9D%98%83%F0%9D%97%B2%F0%9D%97%BF – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
