Hypertext Transfer Protocol Secure (HTTPS) – What it means and how it works

With HTTPS encryption, both the web browser (client) and the server work with a key known only to them. To ensure that this key is only visible to the client and the server, it is generated and transmitted in three steps:

1. The server (e.g. a web store or a bank) sends data for asymmetric encryption (the public key) to the client (web browser). Asymmetric means that this information can be used to encrypt other files, but cannot be decrypted again. Attackers could record this data, but not do anything with it for the time being.
2. The client (web browser) can generate a secret symmetric key and now encrypts this with the data from the web store (public key) and sends it back to the server. The server has the relevant information to be able to open the asymmetric encryption (with its private key) and thus obtains the client's symmetric key. A symmetric key means that data can be encrypted and decrypted with this key.
3. All subsequent communication between server and client is then only encrypted using the shared symmetric key.

Even if the "man-in-the-middle" stands in between and tries to open the encryption with the spied data, this does not work.

*) using the RSA method as an example

To describe the whole thing more figuratively:

In the first step, a lock is sent from the web store to the client. The "man-in-the-middle" copies the lock. When the client now transfers their personal data, they seal it with the lock and send it back to the web store. If the attacker now tries to open the lock, they "only" have the copied lock. And they cannot use it to open the lock. However, the webshop has a personal key with which it can open the lock.

When the web browser (client) communicates with the server (e.g. web store or bank), both partners should know that they are communicating with the right ones. This is because an attacker (man-in-the-middle) could intervene and pretend to be the actual communication partner for the client.

The HTTPS connection is also responsible for preventing this from happening. Because in addition to securing data transmission, the HTTPS connection also takes care of verifying the communication partner. For this purpose, an independent certification authority (CA) checks the assignment of a server identification (public key) to a legitimate instance and issues a digital certificate,
which is protected by a key that only the CA possesses. Which CA is trusted is stored in every web browser and is updated regularly.

VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V. and its affiliated companies (hereinafter each “VDE”) provide non-binding information on consumer protection topics. These publications are intended solely to raise general awareness of consumer protection in relation to electrotechnical products and issues. They expressly do not constitute professional or technical advice. The information is provided the best of one's knowledge and belief without having evaluated the actual conditions at a specific location or of a specific product.

While VDE makes every reasonable effort to ensure that the information is correct and complete, it cannot assume liability nor any warranty (neither explicitly nor implicitly) for the correctness, completeness or topicality of the content of the information provided.

The information may only be applied with the understanding that VDE cannot be held liable for any direct or indirect damage or loss of any kind. The use of the information provided does not release the user from the responsibility for his/her own actions and is therefore at his/her own risk.

Product-/Model-specific manufacturer specifications must be observed.