HTTPS, SSL, TLS & Certificate Authority Explained

asymmetric encryption, so let's go ahead and go over this in quite a bit of detail. The encryption I just described is known as symmetric encryption, not asymmetric encryption. And now that? It's symmetric encryption, well symmetric encryption is when you can perform both encryption and decryption with exactly the same key and that's exactly what we did. We use this key and some encryption algorithm to encrypt this data and then we use the exact same key. and exactly the same encryption algorithm to decrypt this data. This is not true for asymmetric encryption, so with asymmetric encryption we have two different keys, a public key and a private key, now we can use one of those keys for encryption, so let's say I use this public key for encryption and now I have encrypted my data.

Now let's say I want to decrypt the The data is fine. I can't use the same key that I used to encrypt. I can only use the other key, the private key, to decrypt, so if I want to decrypt my data, I would have to use the other key. Now the same thing happens. so if I used the private key to encrypt, I can't use the private key to decrypt. You would have to use the other key, the public key, and that is known as asymmetric encryption. You can use one key to encrypt or decrypt and then you would use the other key to encrypt or decrypt depending on what you did with the first key, so let's see how we can use asymmetric encryption to send data between two different machines over the network safely, so again we have our machine here. it contains our confidential information it contains our email it contains our password and then there is this server to which we want to send that data now this server will have a public key and a private key the public key as you can imagine is public it is accessible to anyone in the world, However, the private key is only accessible to the server, so only the server knows what the private key is.

So what I want to do now is to send some data to this server, what is the process? First of all, I'm not going to send the data directly, I'm just going to go ahead and say, hey, I want to send you some data, the server will recognize it and send me its public key now if it were. over here reading exactly what this value was and I got access to this public key, who cares, it's public. I can go ahead and Google it and find out exactly what it is again, it's accessible to everyone in the world, so now, well, this computer, my machine. you have the public key and you also have the key that you want to do the symmetric encryption with but now of course we can't just send this over the network because then I can access it, but what I can do is take this public key that the server sent back to me and encrypt this symmetric key so that I can encrypt it from time to time, what I can do is send that encrypted symmetric key to the server and if I was in the way, I would have access to it. well I can't decrypt it because remember the encryption will be done with the public key but I can't decrypt it with this public key.

I would have to decrypt it with the private key, who has access to the private key, not me just the server, so again can I? If I don't do anything about it, I can still access this value, but I can't decrypt it. I may have access to this value here as well as the public key, but again, I can't decrypt with the public key. I can only decrypt with the public key. private key that only the server has access to, so now the server will have access to this encrypted symmetric key and also has access to the private key.

Well, now you have decrypted this key and now both the server here and both. My machine and the server have this symmetric key that they can use to transfer data securely. Now this looks cool. Is this

https

? Is this the entire process? Well, unfortunately no, this is much better, but it has its security. fails, let's try to understand exactly what that is, let's go over this scenario again. I have some data that I want to send to this server, so what do I do? First I tell the server, hey, I want to send you some data now.

Being the malicious person that I am instead of listening, what I can do is intercept this request, so instead of sending it to the server, you send it to me and over the public network, this is 100% possible. This is known as man in the middle attack now I have my own public key and my own private key and what I do is I send you my public key so I send this machine my public key now this machine thinks that this public key is from server, so it made a request, I intercepted it, I responded with a public key, so it doesn't know it was intercepted.

This machine has no idea right now and thinks the public key is from this server, so what does it do right? your symmetric key encrypts it with this public key and then tries to send it back to the server. Now being the malicious person that I am, I intercept it again, so now I have the encrypted symmetric key which of course I can decrypt with my private key. key, now I have your symmetric key. Of course, it thinks that only the server has its symmetric key, so it will go ahead and start sending the sensitive information that is encrypted with this symmetric key.

I can go ahead again and see this data. relatively easy, but now what I can do is decrypt it because I have the symmetric key, so there's the problem, so what should we do right now? What we must do is make absolutely sure. that the public key comes from the server and not from another random person, how do we do it? This is the solution to the final boss. I promise you this is how

https

works. We do this with

certificate

authorities, so let's go over

certificate

authorities in a moment. in more detail now, so let's look at the exact same scenario, but this time with a certificate

authority

, so we have our machine that contains the data, we have the server that we want to send the data to, but now we also have a certification.

Ask well, what is a certification

authority

? A certification authority is a third-party entity that is trusted by the browser, so Chrome trusts Firefox, it trusts Safari, and it trusts whatever browser you're using to become a certification authority. You have to go through a pretty rigorous process and there aren't many reliable certifying authorities. If you look for a list of trusted certificate authorities you will only get around 12, so these are third party entities that are trusted by our browser, there is digest, there is let encrypt, there is cyber trust and then there is the kodo group and of course , there are others out there, okay, so let's go over the exact same scenario, but this time with the certificate authority.

Now I want to keep one thing in mind. is that just as the server has a public key that is accessible to the world and a private key that only it can access, the certification authority also has a public key that is accessible to the world. I can easily Google what is public. The key is from a certain Certification Authority, but I don't know what the private key is. The private key is very specific only to the Certification Authority. Only the Certificate Authority knows the value of this private key. Now that we understand that I'm going to quickly apologize in advance.

There will be a lot of asymmetric encryption here. There will be quite a few keys. I'm going to try to do it as slowly as possible, but if you get confused, pause. Go back to the video and try to understand what is happening here. I'll try to do the best I can, so we have my data here that I want to send to the server. What I do? I do exactly the same. I'm like, hey, I want to send you some data now instead of the server sending me the public key. This is what the server does.

The server sends the public key to the Certification Authority. What the Certification Authority is going to do is create. a certificate and a certificate is very simply a text file that contains information and is grouped into three different parts, so let's look at that in a little more detail, so the first part will contain basic information about who we issued the certificate to, so eventually we will issue the certificate for this server and this server is facebook.com. Remember that this is the facebook.com server, so it will contain information about your domain and perhaps where this server is located. you live, maybe you live in Berlin for example, plus some other information that I decided not to add here and then it will also contain information about who issues the certification authority, so let's say the certification authority that we use Well, digest here will contain information about digest and maybe where the server lives, like Canada for example, as well as other information that I decided to leave out, so that's the first part of this certificate, the second part of this certificate is the public key of the server, so, what is the public key of the server?

Remember this is the server here and you sent the certification authority your public key, so what you're going to do is you're just going to take that public key and just put it inside the certificate directly, okay, that's good, now this is It's the third part here and this is where things get really important. What the Certification Authority is going to do now is take the public key of the server and it is going to encrypt it, encrypt it with the private key of the certification authority and now what we have is an encrypted server public key.

Okay, so let's go over this again so I have the public key and the private key of the certificate authority and again I can encrypt with the public key. key if I want or can encrypt with the private key, but if I decide to encrypt with the private key, only the public key can decrypt it, so I'll go ahead and encrypt this public server. key with this private key and now I have this server public key encrypted and that will contain all the information inside the certificate now this part here is known as the signature, this says that hey, this trusted certificate authority just signed this certificate with its key public or with this private key right here now one thing I want to quickly emphasize here is that we are not returning the private key itself, what we are doing is we are just returning the public key of the encrypted server which is encrypted with this private key of the certification authority.

Well, with that being said, what's going to happen now is that the certificate authority will send back this certificate that contains this information and then what's going to happen is that the server will send this certificate to our machine, so it will send it to our machine . Now this is what our machine will do to 100% validate that the server's public key actually arrives. from our server and not from some malicious user, it will take this certificate, so now it has this information and what it is going to do is take a look at who issued this certificate, so in this case it is digest, so it will say Hi diger, I want your public key, give it to me, so let's go ahead and grab this public key from diger and then this is what we're going to do, now that we have the public key from diger, we have the server. public key, so what is this key?

Or let's go back, what is this key here, so we have that and we also have the server's encrypted public key that was encrypted by the certificate authority's private key again. I want to emphasize that these two, the private key is not sent within the certificate itself, only the encrypted server, public key is sent. I just wanted to show you how it was created, so now our machine has all this information, so what can we do? do now because we have the public key of the certification authority and we have the public key of the encrypted server, what we can do is decrypt this, we can decrypt this signature, so I'm going to go ahead and decrypt this signature and that will give us the key public key of the server decrypted and now to validate 100% that the public key of the server really comes from facebook.com, what I would do is simply check if the public key of the server decrypted is equal to the public key of the server here, if that Yes is so, then I know that this is in fact the public key of the server and what I can do is follow the exact same process that I highlighted before to form that symmetric key and then we can form that encryption. secure session between my machine and the server, the last thing I want to talk about is the chain of trust, so as I said in a previous slide, there are now only a few trusted certificate authorities listed, hopefully this is self-evident, but the private keys of these certificate authorities must be 100% protected if they are compromised, that is not good news, why is it not good news?

Well, there are billions of companies that depend on these certification authorities, for example hellofresh and combinator too. Like Discord, they are all billions of companies that rely on the Cyber ​​Trust Certification Authority to form secure connectionsbetween the users' machine and their servers. Now, of course, the Certification Authority has a public key and a private key. If this private key was ever compromised, think about how bad it will be for hellofresh and combinator and Discord, for example, let's talk about hellofresh, let's use that as an example, so hellofresh. I'm not sure if I'm familiar with this, it's actually the company I work for.

What they do is deliver food to you, so they will need information about you. They know your phone number. They will need your email. They will need your email. address, they will need your credit card information because of course they will charge you now if this private key was compromised and some user made a request to hellofresh, perhaps purchasing some kind of subscription and passing their credit card information or passing your email or any sensitive information, now there is a malicious user can intercept that data and decrypt it because they have the private key, which is not good news, so this is what they do to combat this.

We want the private key to be as far away from the Internet as possible, so what do we do instead? now we have an intermediate certificate authority. Cloud Flair is an intermediate certificate authority for cyber trust, so instead of hellofresh communicating with the certificate authority, it communicates with the intermediate certificate authority and goes through the exact same process we just described. and then the intermediate certificate authority reaches out to this cyber trust, which is the actual trusted certificate authority, and goes through the exact same process, so we end up with a certificate chain. The C certificate chain will look like this. so we're going to have our server certificate and the owner information, for example, it's going to be hellofresh.com Berlin and whenever and what we want to do is validate this signature, so what are we going to do right?

What we're going to do is look at the issuer information and the issuer information is not going to be the Trusted Certification Authority, it's going to be the Intermediate Certification Authority, so this is going to be Cloud Flare, so what we're going to do. What we are going to do is ask for the Cloud Flare public key and we will access it. Then, using the public key, we will validate the signature and go through the exact same process as We have gone through this, but now what we need to do is validate. Hey, this intermediate certificate authority is even trusted, so now we have to validate the signature of the significant intermediate authority, so we take a look at the issuer. here and the issuer turns out to be Cyber ​​Trust which is in fact a trusted certification authority, we take their public key, do this decryption process and validate, then this is actually valid, but now the last thing we need to do is it is necessary validate the trusted certification authority.

This is known as a root CER certificate, so we need to validate this signature here. What's unique about this signature is that it's self-signed, so if you would take a look here. the signature is signed by this intermediate certificate authority using this private key and this signature here is signed by this private key while this signature, because it is a trusted certificate authority, it will be self-signed by its own private key and if yes really If you take a look at the issuer information and the owner information, they will be exactly the same, which shows that they are in fact self-signed, whereas here, of course, it will be different in this case. the owner information will be hellofresh the issuer will be Cloud flare here the owner will be Cloud flare the issuer will be Cyber ​​Trust but in this case the owner and issuer are both Cyber ​​Trust, so we have a self-signed certificate but, still so this is a certificate authority that we trust 100%, we're just going to take the public key and we're going to go ahead and validate the signature and only once we validate all three certificates.

Are we going to get a secure connection so there's https S, which means secure in a nutshell? Well, actually it wasn't in a nutshell. This was a relatively long video, but I hope you appreciated it. The last thing I want to do is I just want to scan these certificates in the browser, so let's go ahead and do that quickly. Here I am on the Hellofresh website. Can we take a minute to appreciate how good this looks? Are the ads I work for okay? Hi, as a software engineer, I get paid, but I'm not paid to advertise your video, so I'm not sure if it's sponsored or not, but I'll keep that disclaimer anyway. ads what I want to do is go ahead and copy the URL and I'm just going to paste it into Google and you can see that hellofresh is using https so that it has a secure connection and we can actually see that this connection is secure because right next to the domain this can be a little small for you.

Unfortunately, I can't zoom in here, but there's this lock icon and if I were to click on it, you can see here that it says the connection is secure. Now what we can do is get more information about this secure connection. I can go ahead here and click on this and it says here. The certificate is valid. I'll try to expand it. No, unfortunately it doesn't work. It says here that the certificate is valid, so now I can go ahead and click on it and it will give me more information about the certificate itself, so this may be too small for you, but I suggest you try this on your own browser here.

You can see issued to, so this is issued to hellofresh.com, the organization that is actually doing the issuance is Cloud Flare, as I showed you, it was issued on Friday, April 7th and then here, each certificate always has an expiration date , so this one will expire on April 7, 2024. Okay, if I were to click on the details, now we can see that trust chain, so we have here hellofresh.com, which will be the server certificate and then here this one. it's going to be the intermediate certificate and then here we have the root certificate and we can get a bunch of information on this so here again we can get the public key information from the subject so if you want the public key that's there the key public and that is the public key for the hellofresh certificate if we wanted the algorithm for its public key we can get that information if we wanted to find out who issues it okay Cloud flare is the one that issues it uh and now if If you were to go here and click on Cloud Flare , I can get the exact same information, so who is issuing the certificate for Cloud Flare?

Okay, now the Baltimore cyber trust route, that's the issuer. I can also get your public key right here, this is the public key again, the public key is accessible to anyone and lastly, I can go to the root certificate authority. I want you to guess who you think the sender will be. The issuer will be very simply Baltimore C Cyber. Trust because this will be a self-signed certificate so we can always see this information on any secure website we want, so I think that concludes everything you need to know about uh uh https and how to form secure connections.

It took me quite a while to not only film but also understand, so I hope you appreciate it. Like or dislike this video if you absolutely hated my explanation. I don't care, just go ahead and use this information.