Have you ever wondered what those http:// or https:// prefixes in a URL mean? You’ve probably heard or figured out that the ‘s’ in “https” stands for “secure”, but what does it do differently to secure your connection? What is it protecting you from?
HTTPS primarily protects you from two things: pretenders and eavesdroppers. This blog post will talk about pretenders, and there will be a part two on how https protects you from eavesdroppers.
HTTP — Stranger Danger
Let’s say your public school education failed you (holla at my fellow public school kids), and you need to get up to speed about who Abraham Lincoln is (something about a War on Civility?). So you turn to the Internet, that nebulous, paradoxical entity of misinformed information.
You now attempt to initiate contact with Wikipedia, but you don’t know which one is Wikipedia, so you’ll just have to shout your request into the crowd.
Hopefully, the actual Wikipedia would respond and give you the information you requested.
But what if, God forbid, another website came in and pretended to be Wikipedia? Since you’ve never actually met Wikipedia, there’s nothing you can do but take their word for it!
Moral of the story: don’t trust anyone on the internet, kids.
HTTPS feat. Tom Hanks
Of course, the Internet can be a helpful thing. It would be a shame if we avoided the entire Internet because of some imposters. Instead, let’s try to build up a system that would prevent websites from pretending to be each other and spreading even more misinformation on the Internet.
The crux of the issue is that you can’t recognize Wikipedia; but what if someone that you trusted can recognize Wikipedia for you? Let’s say you ask Tom Hanks to help you recognize Wikipedia — after all, Tom Hanks knows anyone who’s anyone, and you can trust that he won’t deceive you (it is Tom Hanks; who doesn’t trust him?).
Of course, Tom Hanks doesn’t have the time to identify websites for you all day; that man has better things to do with his life. So he’ll give a certificate to Wikipedia and when Wikipedia greets you, they can give you the Tom Hanks-signed certificate of approval.
This certificate has all of the top-grade security features (holographic watermark, invisible ink visible under UV light), and is not editable. So you can trust that the signature is the true signature of Wikipedia and not edited to be anyone else’s signature. But duplicating the entire certificate isn’t a problem, so it’s easy for the pretender to get a copy of the certificate and present it for themself!
To prevent this possibility, we’ll come up with a random value and ask the website to sign it. If it’s Wikipedia, then the signature should match the one on the certificate signed by Tom Hanks.
Now, the pretender is foiled because its signature-forging skills are woefully inadequate.
However, we must be sure to change the verification word each time, because the pretender could always copy the ‘banana’ certificate and give it back to you. This is known as a “replay attack”.
Now, we have a process by which we can make sure that we are, indeed, talking to the correct Wikipedia! Furthermore, this process can be extended to other websites: Tom Hanks can simply provide certificates to all valid websites, but not to anyone pretending to be another website. This process is also scalable. If Tom Hanks doesn’t want to sign every website’s certificate, he can sign certificates for delegators and they can sign website certificates too! You would just need to trace the signatures back to Tom Hanks (this is known as a “chain of trust”):
But we haven’t yet allowed for communication with Wikipedia to be private and encrypted; everything so far has been communicated plainly and in the open. Tune back later to learn how we can build upon this system to make it impossible for anyone to figure out what you and Wikipedia are saying to each other!