How specifically does HTTPS protect the security of data transmission? We will address some common concerns by answering the following questions.
1. How can users be sure that the website is legitimate?
A legitimate website will have a certificate, issued by a certificate authority (CA). For each link, the site will send this certificate to the client to prove its legitimacy.
2. How can users ensure confidentiality of the data transmitted between the website and users?
After verification, the website will negotiate the encryption with the user. And this process is automatically conducted between the site and the browser, which will together determine the cipher suite (including the encryption algorithm and the message authentication code algorithm, etc.) and the SSL/TLS protocol version. After that, the data transmitted between the site and users will be encrypted based on the concerted algorithm.
3. How can users ensure the integrity of the data transmitted between the website and the users?
A cryptographic “Message Authentication Code Algorithm” can be applied to make sure that your data has not been tampered with. This algorithm can transform data of arbitrary size to data of fixed size, and even when there is a one bit of change to the input data, the transformed data is completely different. These characteristics go far to ensure the integrity of the data.
If an organization wants to have a secure website that uses HTTPS, it needs to obtain a site, or host certificate.
What are legitimate certificates?
To put it simply, anyone who needs this certificate is required to apply for it from legitimate certificate authorities, and the process involves distribution of private keys.
If the website you visit doesn’t have a legitimate certificate, the browser will display a prompt with a message such as：