SSL, TLS, HTTPS, SSH
SSL was made by Netscape in 1985 and after many browser wars between Netscape & Microsoft, Netscape gave SSL 3 to IETF (Internet Engineering Task Force). IETF in 1999 released TLS 1.0 which was nothing but SSL 3.1. It took some time and many bugs and by 2013 did the browsers actually catch up with TLS (Transport Layer Security). So, SSL & TLS are interchangeable terms because of the 1999 confusion.
Is HTTP/SSH in Transport Layer (OSI Model)?
No, HTTP & SSH work over TCP/IP from transport layer and both of them reside in application layer.
What is the difference between HTTPS & SSH?
Both are different application layer protocols with different use cases. HTTPS is used to securely transfer text over internet while SSH is used for secure shell authentication. Like for Mails, there is POP3, SMPT, etc. For chat, there are IRC, XMPP, etc. These all reside in Application layer but their use cases differ hence different protocol.
Is HTTPS = HTTP + TLS?
Yes. HTTPS protocol is http with TLS as a gateway in Transport Layer. A lot of other protocols (POP3) for going secure use TLS.
How is HTTPS Secured?
For that we need to understand TLS. HTTPS is nothing but HTTP with TLS. So what magic does TLS does which stops the network eavesdroppers and Man-in-the-middle attacks?
TLS is cryptographic protocol i.e it encrypts the data between sender and receiver and anyone without the key won’t make anything of the data.
Let’s understand how they end up sharing the common key without anyone in the middle knowing this key. We can use just one key which both the client and server has and no one has. But achieving this task is very difficult. So there came the concept of public and private keys (Public keys can only apply the lock while private keys cam only open the lock).
- Client sends Hello to the server saying which all cryptographic algos (cypher suite) it supports along with its public key.
- Server has it’s digital certificate & public key and it sends hello back to the client by locking these certificate and public key with the client’s public key with the desired TLS algo from the cipher suits. Now, only client can see this. Anyone in the middle has no idea what the text is.
- Client verifies the digital signature. If it’s correct, it encrypts a new Pre-Master key which both client & server will use for future encryption.
- Server decrypts the same with its Private key and now has Pre-Master key which it uses for further communications.
- They send a test message encrypted with this Pre Master Key to check if they can understand and voila, green lock appears on the address bar in browser.
That’s how TLS work.
SSL vs HTTPS on the basis of security?
Both use Cryptographic Protocols i.e data sent is crypted before sending. SSH has its own transport protocol independent from SSL, so that means SSH DOES NOT use SSL under the hood.