Amazing, invisible work that goes on when you click an HTTPS link

Jeff Moser has a clear, fascinating enumeration of all the incredible math stuff that happens between a server and your browser when you click on an HTTPS link and open a secure connection to a remote end. It's one of the most important (and least understood) parts of the technical functioning of the Internet.

People sometimes wonder if math has any relevance to programming. Certificates give a very practical example of applied math. Amazon's certificate tells us that we should use the RSA algorithm to check the signature. RSA was created in the 1970's by MIT professors Ron *R*ivest, Adi *S*hamir, and Len *A*dleman who found a clever way to combine ideas spanning 2000 years of math development to come up with a beautifully simple algorithm:

You pick two huge prime numbers "p" and "q." Multiply them to get "n = p*q." Next, you pick a small public exponent "e" which is the "encryption exponent" and a specially crafted inverse of "e" called "d" as the "decryption exponent." You then make "n" and "e" public and keep "d" as secret as you possibly can and then throw away "p" and "q" (or keep them as secret as "d"). It's really important to remember that "e" and "d" are inverses of each other.

Now, if you have some message, you just need to interpret its bytes as a number "M." If you want to "encrypt" a message to create a "ciphertext", you'd calculate:

C ≡ Me (mod n)

This means that you multiply "M" by itself "e" times. The "mod n" means that we only take the remainder (e.g. "modulus") when dividing by "n." For example, 11 AM + 3 hours ≡ 2 (PM) (mod 12 hours). The recipient knows "d" which allows them to invert the message to recover the original message:

Cd ≡ (Me)d ≡ Me*d ≡ M1 ≡ M (mod n)

The First Few Milliseconds of an HTTPS Connection (via O'Reilly Radar)


  1. ArtOfTheProblem have an excellent video showing how the Diffie-Hellman key excahange works using colors rather than numbers. The key exchange is the cornerstone of public key cryptography and it’s a fantastically elegant solution to the problem of figuring out how to share a secret when somebody may be listening in. Check it out at:

  2. The first few milliseconds here are preceded by considerably more time spent tearing one’s hair out dealing with SSL certificates and their inherent ability to piss you off on SOOO many levels.

  3. The Host: header is what the web server (e.g., Apache) uses to allow multiple web sites on the same IP address. But, it’s of no use during the SSL/TLS setup since it isn’t sent or seen until after all that is done.

    SSL/TLS uses the CommonName and AltName attributes of the server certificate to inform the client (e.g., FireFox) which names are allowed. If you typed into FireFox and ended up at someone else’s web server — say, due to DNS cache poisoning or a forgotten /etc/hosts override — and that server didn’t have a forged server cert, FireFox would not find or * in the server certificate offered and the connection would end immediately to prevent man-in-the-middle attacks. FireFox would pop up a warning dialog wherein you could tell it to proceed anyway, if you aren’t intimidated by the scary warnings it displays.

Comments are closed.