Security Check by Chris (Rain) Avila Mar 12, 2018 Secure Web Browsing - How Does Transport Layer Security (TLS) Work? Secure web browsing is a fairly boring subject as it’s something the average person never will have to deal with or encounter in their lives. Websites will automatically redirect you to their secure pages if you try to browse insecurely and, if all is well, will automatically establish said secure connection. But how is it that when I go to http://somesite it is insecure, but https://somesite automatically means I’m protected? What’s the difference? While I won’t be going into the entire chain of trust, the fundamental concept behind this process is key exchange or just public/private key cryptography. Public Key exchange, or asymmetrical cryptography, at a basic level can be most simply understood as a pair of keys that unlock each other (public and private). This type of cryptography makes it possible to secure communications by encrypting data in such a way that data cannot be decrypted by the key used to encrypt it. The only way to decrypt the data is to know the server’s private key, which only the owner of the domain you’re visiting will (should) have access to. When communicating with a website over https (ex: https://www.jungledisk.com), you will initially try to connect to the website via your browser and the website will send back their public key along with their certificate. Your computer validates whether or not the certificate is trustworthy based on the trust chain, to make sure every certificate in the chain was used to sign the preceding certificate up to the root trusted certificate in your computers certificate store. Once validating you are who you say you are, your browser will use the public key to encrypt a ITS request (“Give me the main page of the site” for instance). The message your browser sent can only be decrypted with the servers private key, so even if someone is ‘eavesdropping’ on the conversation at this point, the data is useless without the private key. Once the server receives the request, the data is decrypted using the servers private key so that it can read the request, “give me the main page of the site,” and then send the request back to your visitor. This happens many times during your visit to any given (https) website. Hope you learned a little more about the behind the scenes data encryption and security work that goes into everyday web browsing. Reach out to the Jungle Disk team if you have any questions.