Listen to this Post
Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP that encrypts data using Transport Layer Security (TLS). If intercepted, attackers only see binary code, ensuring confidentiality and integrity.
How Data is Encrypted and Decrypted
Step 1: TCP Connection Establishment
The client (browser) and server establish a TCP connection (usually on port 443).
Check HTTPS connection using cURL curl -I https://example.com
Step 2: SSL/TLS Handshake
- The client sends a “Client Hello” with supported cipher suites and TLS versions.
- The server responds with a “Server Hello”, selecting the best cipher and TLS version.
- The server sends its SSL certificate (containing the public key).
Verify SSL certificate with OpenSSL openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -text
Step 3: Key Exchange & Session Key Generation
– The client validates the certificate (checking issuer, expiry, and domain).
– It generates a session key, encrypts it with the server’s public key, and sends it back.
– The server decrypts it using its private key.
Generate a self-signed cert (for testing) openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
Step 4: Symmetric Encryption for Data Transfer
Both parties now use the same session key for symmetric encryption (AES, ChaCha20).
Test TLS handshake with Nmap nmap --script ssl-enum-ciphers -p 443 example.com
Why HTTPS Switches to Symmetric Encryption
1. Security: Asymmetric encryption (RSA) only works one-way.
- Performance: Symmetric encryption (AES) is faster for bulk data.
You Should Know: Essential HTTPS Security Checks
1. Check Certificate Validity
openssl x509 -enddate -noout -in cert.pem
- Force HTTPS with HSTS (HTTP Strict Transport Security)
Add to web server config (Apache/Nginx):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
3. Disable Weak Ciphers
Nginx Example:
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on;
4. Test HTTPS Security with OpenSSL
openssl s_client -tls1_3 -connect example.com:443
5. Automate Certificate Renewal (Let’s Encrypt)
sudo certbot renew --dry-run
What Undercode Say
HTTPS is non-negotiable for modern web security. Always:
- Enforce TLS 1.2/1.3 (disable older versions).
- Use strong cipher suites (AES-GCM, ChaCha20).
- Monitor certificate expiry (Nagios, Zabbix).
- Implement HSTS to prevent downgrade attacks.
For penetration testers:
Test SSL/TLS vulnerabilities with TestSSL.sh ./testssl.sh example.com
For sysadmins:
Check HTTPS redirects with curl curl -v http://example.com -L
Expected Output
A secure, encrypted connection with TLS 1.3, valid certificates, and no weak ciphers.
SSL connection using TLSv1.3 / AES256-GCM-SHA384 Server certificate: example.com (valid) HTTP Strict Transport Security (HSTS) enabled
Prediction
Future web protocols (QUIC, HTTP/3) will further optimize HTTPS performance while maintaining strong encryption. Zero-trust architectures will make mutual TLS (mTLS) standard for API security.
Relevant URLs:
IT/Security Reporter URL:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
