In a previous chapter, we studied HTTP. We noted how important it has been in making our lives easier. However, HTTP is vulnerable to a range of attacks that might result in leaking the payload. Thus, it was necessary to add some form of security between parties using HTTP to communicate. RFC 2818 proposed HTTPS (HTTP Secure) as a version of HTTP that uses a secure streaming protocol underneath. Initially, this was Secure Socket Layer (SSL), and later evolved into Transport Layer Security (TLS).
The basic scheme of things goes like this:
- The Client and Server establish a TCP connection.
- The Client and Server agree upon a cipher and hash function to use throughout the connection. For this, the client sends a list of ciphers and hash functions. The Server picks one from that list and lets the Client know.
- The Server sends a certificate to the Client. The Client...