What is TLS

TLS(Transport Layer Security) is a protocol to encrypt data that being transferred over the internet and prevent data being seen by anyone else except the client and the server. It's been widely used in HTTP but not necessarily. It can be used by any application protocol like SMTP,RTMP.

What is certificate

Certificate in TLS is a text file with many encrypted(digital signature) strings. each string contains information like subject, expiration, public key.

Why do we need TLS

Without TLS, everything that is transferred over the internet is plain text available for anyone in the transferring chain, like wi-fi, router, your isp.

How TLS works

To solve this. We can use some kind of encryption method(symmetric or asymmetric). Now on one in the transferring chain will be able to know what's in it unless they really get the keys.

Now suppose the communication process:

1. the server generates a key pair.
2. the server sends server-public-key to the client in plain text.
3. the client receives the server-public-key.
4. the client generates a session key(symmetric key).
5. the client encrypts session key with server-public-key.
6. the client sends it to the server.
7. the server receives it.
8. the server decrypts and gets the session key.
9. the server and the client can encrypt with the session key.
10. the server and the client can decrypt with the session key.
11. no one else can decrypt anything because they don't have the session key.

There are several transfer process happened.

1. the server sends server-public-key in plain text.
2. the client sends session key in encrypted text(only server-private-key can decrypt it).

The only problem is that how can we make sure the server-public-key is actually real. We do ask the server to give us his server-public-key. But someone in the middle might just give me a fake one, that he just generates and has the corresponding private key. Now he can see everything the client sends because he has that private key.

TLS can prevent this by digital signature and trust chain. Now when I want to apply for a TLS certificate, I go to some authorities that are authorized by local government. Means I trust that authority. Then the authority will verify my identity to make sure I actually own that domain name by generating a random string and a file name. I need to put the random string in that text file and put it in my domain's root directory. The authority will request http://mydomain.name/thefile and get the matched random string. Now the authority knows I am the owner of this domain.

Then the authority generates a pair of keys. Put information including domain name, expiration, previous generated public key together and encrypt it with the authority's private key(this process is called digital signature). The authority gives me the encrypted file also called certificate file and the previous generated private key that I need to store for further use.

Now I get two files. A digital signature certificate file contains domain name, expiration, a public key. A private key file.

Now to solve the previous problem. The client doesn't ask the server for a server-public-key. Instead the client ask the server for a certificate file. Now the client can decrypt this file with the authority's public key since this file is signed by the authority's private key. That file contains domain name, expiration, a public key.

That public key is the server-public-key we talked earlier. Now the client can continue the process, generates session key etc. The client doesn't worry that server-public-key is fake because it is signed by a trusted authority.

This is the trust chain, there are some authorities around the world called root CA. They are run by governments, official organizations we can trust. When someone wants a TLS certificate, they will verify his identity and sign a file containing the real server-public-key.

These authorities can assign other one to do this job. So they sign other one's public key, and so on. This is the trust chain or certificate chain.

These authorities's public keys are stored in the computer when the OS is installed. We can actually find it and modify it. That's how some network proxy like fiddle works.

A normal network proxy can only forward packets in and out. There is no way it can know what's in these packets since they are encrypted using the session key. However, a proxy like fiddle will require a custom certificate been installed. Now since you already trust this 'fiddle authority', it can sign a fake certificate file containing fake public key whose corresponding private key is known by fiddle. Everything transferred over the proxy is wide open since the proxy has the private key.

So if you never installed some creepy certificate file on your computer or disable TLS validation on software. There is no way someone can know what you are sending and receiving.

Some facts:

1. the session key is not generated only by the client, but contains some random string from the server and the client.
2. a certificate file contains an entire chain. A signed B, B signed C, C signed your domain. The certificate file will contain all the signed signature.
3. there are some extra steps like SYN and ACK.
4. the internet is safe if you don't install some unknown certificate or disable some protection(software, programming language, package will not proceed if TLS validation fails).