4.3.27 · HinglishComputer Networks

HTTPS — TLS handshake, certificates, CA

2,054 words9 min readRead in English

4.3.27 · Coding › Computer Networks


HTTPS kyun exist karta hai?

Plain HTTP mein sab kuch TCP ke upar cleartext mein jaata hai. Path mein koi bhi (tumhara café Wi-Fi, tumhara ISP, koi router) yeh kar sakta hai:

  • Tumhare passwords/cookies padh sakta hai (koi confidentiality nahi),
  • Page ko modify kar sakta hai (ads/malware inject karo → koi integrity nahi),
  • Server ki impersonation kar sakta hai (tumhare bank ka natak karo → koi authenticity nahi).

Building blocks (JO tumhe pehle se pata hona chahiye)

DO tarah ka crypto kyun? Asymmetric identity ke liye secure hai but slow hai. Symmetric fast hai but usse shared secret chahiye. Toh hum asymmetric ek baar use karte hain symmetric key safely set up karne ke liye, phir baaki sab ke liye symmetric. Yahi TLS ke dil mein hybrid idea hai.


Certificates & CA — "public key kiska hai?" problem solve karna

Akela key exchange bekar hai agar ek attacker middle mein baith ke (MITM) tumhe apni public key de de. Hume proof chahiye ki public key bank.com ki hai.


TLS 1.2 handshake — step by step derive kiya

Hum ise teen goals se build karte hain, puchte hue "yeh message kyun chahiye?"

Figure — HTTPS — TLS handshake, certificates, CA

TLS 1.3 (modern, 1-RTT)

TLS 1.3 ise streamline karta hai: ClientHello already ek DH key share include karta hai; server apna share + cert + Finished reply karta hai. Data 1 round trip ke baad flow kar sakta hai (ya resumption ke liye 0-RTT). Sirf forward-secret ECDHE/DHE suites rehte hain.


Diffie–Hellman mini-derivation (shared secrets ka jaadu)


Common mistakes (Steel-man + fix)


Recall Feynman: ek 12-saal ke bachche ko samjhao

Socho tum ek shopkeeper ko koi secret whisper karna chahte ho, but tumse kabhi nahi mili aur gali pickpocketers se bhari hai. Pehle tum unka ID card maangoge jo town mayor ne stamp kiya ho jis pe tum already trust karte ho — yeh prove karta hai woh asli shopkeeper hain, koi imposter nahi (certificate + CA). Phir tum dono ek shared secret password ek clever tarike se invent karte ho taaki watchers bhi nahi figure out kar sakein (key exchange / Diffie–Hellman). Tab se tum ek code mein baat karte ho jo sirf tum dono jaante ho (symmetric encryption). Pickpockets ko gibberish dikhta hai. Pura yeh "ID dikhao, secret code pe agree karo" greeting hi handshake hai.


Flashcards

HTTPS kaun se do protocols se bana hai aur kaun se port pe?
HTTP + TLS, port 443.
TLS kaun si teen security guarantees deta hai?
Confidentiality, integrity, authentication.
Domain name ko public key se kaun bind karta hai aur use kaun sign karta hai?
Ek certificate; Certificate Authority (CA) sign karta hai.
Chain of trust kya hai?
Leaf cert → intermediate(s) → root, har ek agale ne sign kiya, browser ke trust store mein ek root pe khatam hota hai.
TLS mein asymmetric aur symmetric crypto dono kyun use hote hain (hybrid)?
Asymmetric securely ek shared secret bootstrap karta hai (slow), phir fast symmetric crypto bulk data encrypt karta hai.
RSA key transport mein client server ki public key se kya encrypt karta hai?
Pre-master secret.
Master secret kis se derive hota hai?
PRF(pre-master secret, client random, server random).
Forward secrecy kya hai aur kaun sa exchange ise deta hai?
Past sessions safe rehte hain chahe long-term key baad mein leak ho jaaye; ephemeral Diffie–Hellman (ECDHE) se milta hai.
Finished message kya protect karta hai?
Poore handshake transcript ki integrity (earlier cleartext messages ke saath tampering detect karta hai).
Self-signed cert browsers ko kyun untrusted lagta hai?
Trusted root CA tak koi chain nahi, isliye identity verify nahi ho sakti.
Kya valid cert matlab site honest hai?
Nahi — yeh sirf prove karta hai ki tum securely real domain owner se baat kar rahe ho; phishing sites ke paas bhi valid certs ho sakte hain.
Diffie–Hellman ko secure kaun si hard problem banati hai?
Discrete logarithm problem ( se recover karna).
Full TLS 1.3 handshake mein kitne round trips hote hain?
1 RTT (resumption ke liye 0-RTT).
HTTPS ke saath bhi (classic TLS mein) URL ka kaun sa part visible rehta hai?
SNI ke through domain name; path/query encrypted hote hain.

Connections

  • HTTP — methods, status codes
  • TCP — three-way handshake (TLS ek established TCP connection ke upar ride karta hai)
  • Symmetric vs Asymmetric Encryption
  • Diffie–Hellman Key Exchange
  • Digital Signatures & Hashing
  • Public Key Infrastructure (PKI)
  • DNS (us domain ko resolve karta hai jiska cert tum phir verify karte ho)

Concept Map

vulnerable to

motivates

wraps

equals HTTP plus

provides

bootstraps

and enables

encrypts

achieved via

uses

signs

signs

verified via

anchored in

HTTP cleartext

Read Modify Impersonate

HTTPS on port 443

TLS tunnel

Confidentiality Integrity Authentication

Asymmetric crypto

Symmetric cipher AES-GCM

Digital signature

Bulk data fast

TLS handshake

Certificate binds domain to public key

Certificate Authority

Chain of trust leaf to root

Browser trust store