HTTPS and Web Security

Every time you enter a password, submit payment details, or simply browse a website showing the familiar padlock icon, you're relying on one of the most critical security mechanisms in computing history: Transport Layer Security (TLS). This protocol, working silently beneath HTTP, transforms insecure web traffic into encrypted, authenticated, and integrity-protected communication.

HTTPS—HTTP Secure—is not a separate protocol but rather standard HTTP operating over a TLS-secured connection. Understanding this integration is essential for any engineer working with web technologies, as it forms the bedrock of modern internet security.

In this comprehensive exploration, we'll dissect exactly how TLS integrates with HTTP, from the initial handshake through encryption of every byte, revealing the elegant engineering that protects billions of transactions daily.

To understand HTTPS, we must first appreciate its architectural position within the network stack. HTTPS is not a modification of HTTP itself—it's HTTP running unchanged over a secure transport layer provided by TLS.

The Protocol Stack Perspective:

In the traditional HTTP model:

Application Layer: HTTP
Transport Layer:   TCP
Network Layer:     IP

With HTTPS, TLS inserts itself as a sublayer:

Application Layer: HTTP
                   ↓ (HTTP messages passed to TLS)
Security Layer:    TLS (encrypts/authenticates)
                   ↓ (TLS records passed to TCP)
Transport Layer:   TCP
Network Layer:     IP

This layering is crucial—HTTP operates completely unaware that encryption is happening. From HTTP's perspective, it simply reads and writes data. TLS intercepts this data, encrypts it, and passes encrypted records to TCP. On the receiving end, TLS decrypts the data before passing it to HTTP. This transparency is what allows all HTTP methods, headers, and semantics to work identically over HTTPS.

What TLS Actually Protects:

When you access https://example.com/api/users?id=123, here's what's encrypted vs. visible:

Encrypted (Hidden from Network Observers):

• The full URL path (/api/users?id=123)
• All HTTP headers (including cookies, authorization tokens)
• The entire HTTP request body
• The entire HTTP response (status, headers, body)
• Even the HTTP method (GET, POST, etc.)

Not Encrypted (Metadata Still Visible):

• IP addresses of client and server
• The destination hostname (via SNI—Server Name Indication)
• Approximate size of request/response
• Timing of packets

This distinction matters for privacy analysis—even with HTTPS, a network observer knows that you're communicating with a site and how much data you're exchanging, but not what you're communicating.

Before any HTTP data can be exchanged securely, client and server must establish shared cryptographic secrets through the TLS handshake. This carefully choreographed dance accomplishes several critical objectives simultaneously:

1. Cipher Suite Negotiation — Agree on encryption algorithms
2. Server Authentication — Verify the server's identity via certificate
3. Key Exchange — Establish shared symmetric keys securely
4. Optional Client Authentication — Verify client identity if required

TLS 1.3 vs Previous Versions:

TLS 1.3, released in 2018, represents a significant modernization of the handshake. Compared to TLS 1.2:

Let's trace through the complete TLS 1.3 handshake to understand each step:

Phase 1: ClientHello (Client → Server)

The handshake begins when the client sends a ClientHello message containing:

• Supported TLS Versions: Modern clients advertise TLS 1.3 support while maintaining backward compatibility
• Cipher Suites: A prioritized list of acceptable cryptographic algorithms
• Key Share Extension: Precomputed ECDHE public key(s) for anticipated curve(s)—this is the crucial optimization that enables 1-RTT
• Server Name Indication (SNI): The hostname being connected to (needed for virtual hosting)
• Supported Groups: Elliptic curves/DH groups the client supports
• Signature Algorithms: Acceptable algorithms for certificate verification

ClientHello:
  Protocol Version: TLS 1.3
  Random: (32 bytes of client random)
  Cipher Suites:
    TLS_AES_256_GCM_SHA384
    TLS_AES_128_GCM_SHA256
    TLS_CHACHA20_POLY1305_SHA256
  Extensions:
    server_name: example.com
    supported_versions: TLS 1.3, TLS 1.2
    key_share: (x25519 public key)
    signature_algorithms: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256

Phase 2: ServerHello and Encrypted Server Messages (Server → Client)

The server responds with ServerHello, which includes:

• Selected Protocol Version: TLS 1.3
• Selected Cipher Suite: The server's choice from the client's list
• Key Share: The server's ECDHE public key

Critically, in TLS 1.3, immediately after ServerHello, all further server messages are encrypted. This is possible because both parties now have enough information to derive encryption keys:

Handshake Secret = HKDF-Extract(
    ECDHE Shared Secret,
    Derived from transcript hash
)

The remaining encrypted messages include:

1. EncryptedExtensions: Additional negotiated parameters
2. Certificate: The server's certificate chain
3. CertificateVerify: Digital signature proving private key possession
4. Finished: MAC over entire handshake transcript

Phase 3: Client Finished and Application Data

After receiving and validating the server's messages, the client:

1. Verifies the Certificate Chain — Ensures it chains to a trusted root CA
2. Verifies CertificateVerify — Confirms the server possesses the private key
3. Derives Application Traffic Keys — Uses the handshake secret to generate final keys
4. Sends Finished — MAC proving the client saw the same handshake transcript

At this point, the 1-RTT handshake is complete. The client can immediately begin sending HTTP requests encrypted with the application keys. The server, upon receiving and validating Client Finished, can respond with encrypted HTTP responses.

The handshake has accomplished:

• Mutual agreement on cryptographic algorithms
• Authentication of the server (and optionally the client)
• Establishment of forward-secret symmetric keys
• Protection against tampering of the handshake itself

A cipher suite defines the complete set of cryptographic algorithms used to secure a TLS connection. Understanding cipher suites is essential for configuring secure HTTPS servers and diagnosing connection issues.

TLS 1.3 Cipher Suite Structure:

TLS 1.3 dramatically simplified cipher suites. The naming convention is:

TLS_<AEAD>_<HASH>

• AEAD: Authenticated Encryption with Associated Data (e.g., AES-GCM, ChaCha20-Poly1305)
• HASH: Hash function for key derivation (e.g., SHA256, SHA384)

The key exchange algorithm (ECDHE/DHE) is negotiated separately via extensions, not in the cipher suite itself.

TLS 1.3 Cipher Suites:

Legacy TLS 1.2 Cipher Suites (For Comparison):

TLS 1.2 cipher suites were more complex, specifying every component:

TLS_<KEY_EXCHANGE>_WITH_<CIPHER>_<MAC>

Example: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
• Authentication: RSA certificate
• Encryption: AES-128 in GCM mode
• MAC: SHA-256 (integrated in GCM)

TLS 1.2 supported over 300 cipher suites, many of which were insecure. TLS 1.3's reduction to 5 suites eliminates this complexity and removes all known weak algorithms.

Cipher Suite Selection Process:

During the handshake:

1. Client Preference: ClientHello lists cipher suites in priority order
2. Server Decision: Server selects from the intersection of client and server supported suites
3. Server Preference: Typically, servers use their own preference ordering (configurable)

Recommended Server Configuration (Nginx Example):

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# TLS 1.3 ciphersuites (separate configuration)
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;

# TLS 1.2 ciphersuites (for backward compatibility)
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

ssl_ecdh_curve X25519:secp384r1:secp256r1;

This configuration prioritizes security (256-bit) while ensuring broad compatibility and optimal performance through curve/cipher ordering.

The most critical aspect of TLS security is key exchange—the mechanism by which client and server establish shared symmetric keys without ever transmitting those keys over the network. TLS 1.3 mandates ephemeral key exchange, ensuring forward secrecy for all connections.

What is Forward Secrecy?

Forward secrecy (also called Perfect Forward Secrecy or PFS) guarantees that:

Compromise of a server's long-term private key does not compromise past session keys.

This property is crucial because:

1. Attackers may record encrypted traffic today and attempt decryption later
2. Server keys may eventually be compromised (theft, legal compulsion, cryptographic breakthrough)
3. Without forward secrecy, all historical traffic becomes readable

With forward secrecy, each session uses unique ephemeral keys that are discarded after use. Even with the server's private key, an attacker cannot derive past session keys.

ECDHE: Elliptic Curve Diffie-Hellman Ephemeral

ECDHE is the predominant key exchange mechanism in TLS 1.3. It combines the security of elliptic curve cryptography with ephemeral key generation:

The ECDHE Process:

1. Client generates ephemeral key pair:

   • Private key: a (random 256-bit integer)
   • Public key: A = a × G (point multiplication on elliptic curve)
   • Sends A in ClientHello key_share extension

2. Server generates ephemeral key pair:

   • Private key: b (random integer)
   • Public key: B = b × G
   • Sends B in ServerHello key_share extension

3. Both compute shared secret:

   • Client computes: S = a × B = a × (b × G) = ab × G
   • Server computes: S = b × A = b × (a × G) = ba × G
   • Same point! (ab × G = ba × G)

4. Derive keys from shared secret:

   • Use HKDF (HMAC-based Key Derivation Function)
   • Input: shared secret + handshake transcript hash
   • Output: encryption keys, IV, MAC keys

Popular Elliptic Curves:

Key Derivation in TLS 1.3:

TLS 1.3 uses a sophisticated key derivation schedule based on HKDF (RFC 5869). The process ensures that keys are bound to the entire handshake transcript:

Early Secret = HKDF-Extract(salt=0, IKM=0)
    ↓
Handshake Secret = HKDF-Extract(salt=Derived, IKM=ECDHE_shared_secret)
    ├── client_handshake_traffic_secret
    └── server_handshake_traffic_secret
    ↓
Master Secret = HKDF-Extract(salt=Derived, IKM=0)
    ├── client_application_traffic_secret_0
    ├── server_application_traffic_secret_0
    └── resumption_master_secret (for session tickets)

Each derived secret is mixed with the transcript hash (all handshake messages so far), ensuring that any modification to the handshake would result in different keys and cause the connection to fail.

Key Hierarchy Benefits:

• Different keys for handshake vs. application data
• Separate client and server keys (prevents reflection attacks)
• Key rotation support via KeyUpdate message
• Resumption secrets for 0-RTT connections

Once the handshake establishes encryption keys, the TLS Record Protocol takes over to protect actual HTTP data. This layer handles fragmentation, compression (deprecated), encryption, and MAC computation for all application data.

Record Protocol Structure:

Every piece of data in TLS is wrapped in a record:

+--------+--------+--------+--------+--------+--------+...
| Type   | Version| Length          | Payload (encrypted)...
| 1 byte | 2 bytes| 2 bytes         | up to 2^14 bytes
+--------+--------+--------+--------+--------+--------+...

• Type: Handshake (22), Application Data (23), Alert (21), Change Cipher Spec (20—TLS 1.2 only)
• Version: Protocol version (0x0303 for TLS 1.2/1.3—yes, TLS 1.3 still uses 1.2's version number for compatibility)
• Length: Size of the encrypted payload
• Payload: The encrypted content

AEAD Encryption in TLS 1.3:

TLS 1.3 exclusively uses AEAD (Authenticated Encryption with Associated Data) ciphers. AEAD combines encryption and authentication into a single operation, eliminating the padding oracle vulnerabilities that plagued earlier TLS versions.

AES-GCM Encryption:

Authenticated Data (AAD):
  - Record type
  - Protocol version  
  - Record length

Encryption Input:
  - Key: application_traffic_secret derived
  - Nonce: 12 bytes (XOR of IV and sequence number)
  - Plaintext: HTTP message content
  - AAD: as above

Output:
  - Ciphertext (same length as plaintext)
  - Authentication Tag (16 bytes)

The authentication tag ensures:

1. Integrity: Any modification to ciphertext is detected
2. Authenticity: Only someone with the key could have created this ciphertext
3. Replay Protection: Sequence numbers prevent replaying old records

Nonce Construction and Replay Prevention:

Each TLS record uses a unique nonce (number used once) constructed as:

nonce = IV XOR sequence_number

• IV: Derived from traffic secret, constant for the session
• Sequence Number: 64-bit counter, starts at 0, increments per record

The sequence number is not transmitted—both parties maintain synchronized counters. If records arrive out of order or are replayed, the wrong nonce produces garbage/authentication failure.

Maximum Record Size:

TLS limits records to 2^14 bytes (16,384 bytes) of plaintext. This:

• Limits memory requirements
• Reduces latency for time-sensitive applications
• Prevents amplification attacks

HTTP Message Spanning Multiple Records:

Large HTTP responses (e.g., a 10MB file download) span many TLS records:

HTTP Response (10 MB)
    ↓
TLS Record 1 (16 KB encrypted HTTP data)
TLS Record 2 (16 KB encrypted HTTP data)
...
TLS Record 640 (remaining data)

Each record is independently encrypted and authenticated, but the sequence numbers ensure they must be processed in order.

The TLS handshake, while essential, adds latency to every new connection. For returning clients, TLS provides resumption mechanisms that dramatically reduce handshake overhead.

TLS 1.3 Session Tickets:

After a successful handshake, the server can issue a session ticket—an encrypted blob containing the session state:

Server --> Client: NewSessionTicket {
    ticket_lifetime: 86400 (24 hours)
    ticket_age_add: (random obfuscation value)
    ticket_nonce: (unique per ticket)
    ticket: (encrypted session state)
    extensions: {
        early_data: 16384 (max 0-RTT data size)
    }
}

The ticket is encrypted with a key only the server knows. The client stores it and presents it on future connections.

Resumption Handshake (1-RTT, but faster):

When resuming with a session ticket:

1. Client includes ticket in ClientHello (pre_shared_key extension)
2. Server validates ticket, recovers session state
3. Both derive keys from PSK (Pre-Shared Key) combined with new ECDHE
4. Handshake completes as normal, but server skips certificate chain

0-RTT (Zero Round Trip Time) Resumption:

For ultimate performance, TLS 1.3 supports 0-RTT where the client sends encrypted application data in the very first flight, alongside the ClientHello:

Client --> Server:
    ClientHello (with PSK)
    + Early Data (encrypted HTTP request using PSK-derived keys)

The server can process the early data immediately, responding even before the handshake completes. This is transformative for latency-sensitive applications.

0-RTT Security Considerations:

⚠️ 0-RTT data is NOT replay-protected at the TLS level.

An attacker who captures 0-RTT data can replay it to the server. This means:

Application-Layer Replay Protection:

For applications that want to use 0-RTT safely for modifying requests:

1. Client includes unique token in request:
   POST /api/transfer
   X-Request-ID: 550e8400-e29b-41d4-a716-446655440000
   
2. Server checks if token was already processed:
   - If new: process request, store token with TTL
   - If duplicate: reject as replay
   
3. Token storage requirements:
   - Store tokens for at least the 0-RTT ticket lifetime
   - Distributed systems need shared replay cache

Server Configuration for 0-RTT:

Servers can control 0-RTT behavior:

# Nginx TLS 1.3 early data configuration
ssl_early_data on;

# Proxy must forward early data indicator
proxy_set_header Early-Data $ssl_early_data;

The backend can then check the Early-Data header and reject dangerous operations.

Each HTTP version integrates with TLS differently, with increasingly tight coupling as the protocol evolves.

HTTP/1.1 Over TLS:

The simplest integration—HTTP/1.1 is transmitted as text inside TLS records:

TCP Connection
  └── TLS Session
        └── HTTP/1.1 Messages (plaintext from HTTP's perspective)
              "GET /index.html HTTP/1.1\r\n"
              "Host: example.com\r\n"
              "\r\n"

HTTP/1.1 is completely unaware of TLS. The HTTP messages are passed to TLS for encryption before TCP transmission.

Limitation: Each HTTP/1.1 request-response must complete before the next can begin (head-of-line blocking at HTTP layer).

HTTP/2 Over TLS:

HTTP/2 adds binary framing and multiplexing, but runs over TLS identically:

TCP Connection
  └── TLS Session
        └── HTTP/2 Frames (binary encoded)
              ├── Stream 1: Request A
              ├── Stream 3: Request B  (frames interleaved)
              └── Stream 5: Request C

ALPN Negotiation: HTTP/2 requires TLS (there's no unencrypted HTTP/2). The protocol is negotiated via the ALPN (Application-Layer Protocol Negotiation) extension during the TLS handshake:

ClientHello:
  Extensions:
    application_layer_protocol_negotiation:
      - h2 (HTTP/2)
      - http/1.1 (fallback)

ServerHello:
  Extensions:
    application_layer_protocol_negotiation:
      - h2 (selected)

Both parties know to use HTTP/2 framing immediately after handshake completion.

Limitation: TCP head-of-line blocking—if one packet is lost, all HTTP/2 streams must wait for retransmission.

HTTP/3 Over QUIC (TLS Integrated):

HTTP/3 takes integration further by building TLS directly into the transport:

QUIC Connection (over UDP)
  └── TLS 1.3 integrated into QUIC handshake
        └── QUIC Streams
              ├── Stream 0: HTTP/3 control
              ├── Stream 4: Request A
              ├── Stream 8: Request B
              └── Stream 12: Request C

In QUIC:

• TLS handshake messages are carried in special QUIC frames
• Encryption is applied at the QUIC packet level
• Each stream is independently loss-recovered
• Connection migration works because QUIC identifies connections by ID, not IP:Port

The benefit: No TCP head-of-line blocking. Lost packets only affect their specific stream.

A persistent myth suggests that HTTPS significantly slows down websites. While TLS does add computational overhead, modern optimizations have made this overhead negligible for the vast majority of deployments.

Actual Performance Impact:

Hardware Acceleration:

Modern CPUs include dedicated instructions for cryptographic operations:

• AES-NI: Hardware AES encryption/decryption (~10x faster than software)
• CLMUL: Hardware polynomial multiplication for GCM mode
• SHA-NI: Hardware SHA-256/SHA-512

With AES-NI, a single CPU core can encrypt/decrypt at rates exceeding 10 Gbps—far faster than typical network bandwidth. TLS encryption is no longer a meaningful bottleneck.

Measurement Example:

# OpenSSL speed test on modern CPU with AES-NI
$ openssl speed -evp aes-128-gcm

aes-128-gcm     16384 bytes    5892738.92k
                              (~5.6 GB/s per core)

When HTTPS Can Impact Performance:

1. High Connection Churn: Applications opening many new connections suffer handshake overhead → Use connection pooling
2. Embedded/IoT Devices: Without hardware acceleration → Use ChaCha20-Poly1305
3. Very High Traffic Sites: At millions of handshakes/second, even microseconds add up → Use session resumption aggressively
4. Large Certificate Chains: Sending multiple certificates per handshake → Optimize certificate chains, use ECDSA certificates (smaller)

We've comprehensively explored how TLS integrates with HTTP to create HTTPS—the secure foundation of the modern web. Let's consolidate the critical concepts:

What's Next:

With TLS integration understood, the next page examines Certificate Validation—the mechanism by which clients verify server identity. We'll explore the certificate chain, trust anchors, validation algorithms, and what happens when validation fails.