My mum is incredibly tech savvy. I mean, it’s almost unreal of how she can troubleshoot and get things to work. Whether it’s something simple like steaming content or something complex as troubleshooting why her Android tablet wouldn’t cast to our Android TV. My sister tried really hard to get her to switch to Apple products but my mum’s a bit stubborn about her Android tech. She’s always like “nah, I am just more comfortable with the Android phone and tablet. It lets me do what I want”. Yes, that’s my mum, the woman who grew up without any technology. Anyway, she’s visiting me now and at some point, I had to explain why some websites have https in the url. In this post, I will talk about how to explain HTTPS to a non-technical person.

Background

Ever since my sister and I moved out of home my mum had no choice but to get technical. If asked, she would reply by saying “I love my children and I want to talk to them, so I have to learn how to use these things”. She has a typical hacker mindset i.e. if this doesn’t work, let’s try this, this or that. All her knowledge is a result of her experimenting with stuff and trying a bunch of hacks till something works.

I mean one of the best examples was how she could not get her 5 year old Android tablet to cast to my Sony Android smart TV. She asked me why it isn’t working, I was about to go to work so I had a quick look at it and I told her “nahh your tablet is too old, it wouldn’t work”. Once I got home in the evening I realised she had managed to get it to cast!!! I was like woah!!! How did you do that? She replied “I tried this in tablet settings…., then I tried this mode, that feature in the TV….” so on and so forth. I thought hmm so she used a brute force approach to get it to work i.e. she hacked or pursed this relentlessly till it worked.

Anyway, about me trying to explain HTTPS I maybe a native English speaker but she isn’t! Hence, I had to explain things to her using our language from India. Hence, in this post, I will try my best to translate it all to English.

Now to understand, HTTPS, I reckon it’s best we talk a little bit about HTTP first.

Internet (HTTP)

Ohh yes, the HTTP protocol 🙂 I have some fond memories of this learning about it in my networking class 10+ years ago. The bit about Tim Berners-Lee and his team at CERN, making magic happen…ahh all good stuff!

Anyway, I will briefly explain what HTTP is here without going into too much technical detail. HTTP, stands for HyperText Transfer Protocol. As MDN quotes, the HTTP protocol allows fetching resources on the web i.e. fetching of resources such as HTML documents. It’s the foundation of how data is exchanged on the web and it’s a client-server protocol.

Client-Server protocol?

Explain HTTPS: the metaphor

Let’s say, you want to participate in the annual baking competition in your town next month. However to do so, you need to obtain the mayor’s permission. So you decide to write a formal letter addressing the mayor, requesting his permission to participate in the competition. The mayor receives your letter, acknowledges it and responds to it with a written approval saying “yes you can participate”. The time of the year closer to the annual baking competition, the mayor receives and responds to thousands of letters. Hence, the volume of letters received combined with his other mayoral duties, he’s not going to remember who you are. So if you want to ask him anything else, he would assume someone new is asking him. However, you don’t care about that, your request was just a one-off anyway, your goal was to get written permission and you got it.

Slightly more technical

That in essence is how a client-server protocol works.Think of yourself as a client who’s making a request to server (Mayor) to get something. Now, if you want to look at certain recipes online, you would try to search for them using a search engine i.e. Google, Bing or Baidu. In this case, your web browser is a client and the search engine is the server. Once you type in the name of your recipe the browser sends a request to the search engine’s web server over the HTTP protocol. HTTP protocol is also stateless, so each request you make over HTTP, the server would think it’s a new request. (the stateless bit is not that relevant in this context but…)

To keep this post brief, I won’t talk about Sessions, Caches or Cookies so let’s move on to a secured connection i.e. HTTPS.

p.s. Think of, client-server communication over HTTP to be like Marlin talking to Dory in Finding Nemo. Remember, how Dory just forgets about stuff? 

Secured Connection i.e. HTTPS

The metaphor

At this point in our story, you have just obtained permission from the mayor to participate in the annual baking competition. This is not the first time you are participating in this competition. You have done so in the past, and on several occasions you came close but didn’t win. Despite your numerous attempts, your recipe was never as unique as you thought it would be. Now, that you have had the time to reflect you know why that maybe the case. Every year, you write your recipe on a piece of paper and send it with your son to the local shops to get ingredients. You assume that only the shop owners that the letter is targeted at would read it. Your son walks to the market leisurely openly waving your recipe around for anyone to see. It is at this time that your rivals may have managed to catch a glimpse of your recipe and steal it to make it their own. Hence, this year, you try a different approach, you approach the shops a week prior to the competition and give them a key to open a box. Now, 2 days prior to the competition, you put the recipe in a locked box and send it with your son. All your son has to do is carry that closed box to the shops where the owners have the key to open it. This way, your recipe is safe and no one can steal it by looking at it.

Slightly more technical

If you think about it, the way you protect your recipe is the way HTTPS protects internet traffic. When open a website using regular HTTP, your browser (client) looks up the IP address of the corresponding website, connects to it and sends data assuming it’s the right web server. You see the problem here? You have no way of knowing for sure, whether or not, it’s the right server. Also, the data is sent in clear text so anyone can eves-drop on it and see the data. Things like passwords, bank details etc are all at risk over HTTP.

HTTPS on the other hand is a secure connection. There are certificate authorities that issue certificates that can confirm the legitimacy of the website. So when your browser connects to a website via HTTPS, it first checks the security certificate and verifies it was issued by a legitimate certificate authority. Once it has confirmed the site’s legitimacy, it establishes a secure connection and starts exchanging data. The data is encrypted, so no one can steal it. Now, I know what you are thinking, certificate authorities can issue bad certificates sometimes and the system would break down. Yes, HTTPS isn’t perfect but it’s still heaps better then using HTTP.

Summary

To summarise, you are the client and the mayor is the server when you want permission to participate in the annual baking competition. Similar to how the HTTP protocol works and how data is exchanged on the web. You sending your recipe to the shops, your son carrying it leisurely and waving it around is data transferred over HTTP in plain text. Your rivals stealing your recipe information by taking a peek at it is eves-dropping or a packet sniffing attack. Lastly, securing your recipe in a locked container is how HTTPS secures data when exchanging it over the internet.

Phew!!!! My aim was to make this as non-technical as I possibly can, therefore I didn’t go into details like the OSI network layers etc. I tried my best to convert it all to English but some context may have been lost in translation. Should you feel that I could have done a better job explaining, please let me know? I would love to know how I can make my writing more understandable.

All in all, one thing is for certain, my mum is AWESOME, way way too awesome 😊