NetworkHTTPS = HTTP + TLS (Transport Layer Security). TLS handshake (TLS 1.3) gồm:
- Client gửi ClientHello với danh sách cipher suites và key shares
- Server chọn cipher, gửi ServerHello + certificate + Finished
- Client verify certificate qua Certificate Authority chain, tính session key, gửi Finished. Sau đó dữ liệu được mã hóa đối xứng (AES-GCM) bằng session key — asymmetric crypto chỉ dùng trong handshake. TLS 1.3 giảm từ 2-RTT (TLS 1.2) xuống 1-RTT, thậm chí 0-RTT cho resumed sessions. Certificate pinning là kỹ thuật hardcode expected certificate trong app để chống MITM attack
Lập trình viên nên biết: expired SSL cert gây 526/525 error; Let's Encrypt cung cấp free cert tự động gia hạn; HSTS header buộc browser dùng HTTPS.
HTTPS = HTTP + TLS (Transport Layer Security). The TLS 1.3 handshake works as follows:
- the client sends a ClientHello with supported cipher suites and key shares
- the server selects a cipher and responds with ServerHello + certificate + Finished
- the client verifies the certificate through the Certificate Authority chain, derives the session key, and sends Finished. All subsequent data is encrypted symmetrically (AES-GCM) using the session key — asymmetric cryptography is only used during the handshake. TLS 1.3 reduced the handshake from 2-RTT (TLS 1.2) to 1-RTT, and even supports 0-RTT for resumed sessions. Certificate pinning is a technique where the expected certificate is hardcoded in the app to defend against MITM attacks
Developers should know: an expired SSL cert causes 526/525 errors; Let's Encrypt provides free, auto-renewing certificates; the HSTS header forces browsers to always use HTTPS.