HTTPS is a way of encrypting HTTP. It basically wraps HTTP messages up in an encrypted format using SSL/TLS.
SSL is secure sockets layer and TLS is transport layer security, both are cryptographic protocols designed to provide communication security over computer network.
SSL is basically deprecated and TLS is what we all use (so if someone says SSL in 2019, they’re most likely referring to TLS).
Note that TLS is not mandatory according to the HTTP/2 spec but most browsers will only allow HTTP/2 over TLS.
Encryption: Asymmetric vs Symmetric
TLS handshake uses asymmetric encryption where the server produces two keys: public and private. Data can be locked/encrypted using the server’s public key but can only be unlocked/decrypted using the server’s private key.
The server sends server’s public key to the client. It can be seen by anyone on the network but it doesn’t matter because it is a public key (which can only be used to lock/encrypt things).
Client now creates a new symmetric key on its side (a key that can be used to both lock and unlock). Client locks this symmetric key in a box using the server’s public key and sends it to the server.
People can again see this box on the network but cannot unlock it without the server’s private key. (Note: The act of secretly listening to a private conversation is called eavesdropping).
Once server receives this box, it unlocks it using server’s private key and finds a symmetric key with a note from the client which says “we shall now communicate using this symmetric key”.
At this point, client and server don’t need to send keys anymore. They can send data by locking it with the symmetric key and unlock it using the same symmetric key.
💥 Boom! That’s how data is securely sent over the network 🙂
Reference: https://www.cloudflare.com/learning/cdn/cdn-ssl-tls-security/
CS Mumbai 