How SSL, HTTPS and Certificates Works in Java web Applications

Basic knowledge of SSL, HTTPS, and Certificates is a must for any Java programmer, especially who is working in financial and security-sensitive applications, which are accessed over the internet. In this article, I am giving you an overview of these three key concepts and How SSL, HTTPS and certificates work together, to provide secure communication between client and server. Security is major concern while developing web applications, which is accessible using HTTP protocol. Since HTTP protocol transfer data in plain text format, its not safe for transferring sensitive information like username, password, social security number (SSN) or credit card details for online shopping.

The HTTP protocol, also doesn't guarantee that a website, you are communicating is the one who claims i.e. if URL redirection is enabled than instead of the genuine website you may be routed to malicious websites and HTTP can't prevent or alert you.

How SSL and HTTPS works

HTTPS and SSL address these two issues. HTTPS is HTTP over SSL and SSL stands for secure socket layer,  which provides both encryption and verification of websites. That's why almost all banks or commercial portals like travel or airline bookings, movie booking or online shopping portal uses https protocol. 

When data is transmitted using HTTPS protocol, they are encrypted before transmission from both client and server end, so anyone who can intercept or trap https traffic can see the data, but not in a meaningful format. 

By the way since request is encrypted and decrypted at both ends, this does increase response time on server but provides security against eavesdropping threat. 

SSL also facilitate verification of website by using certificates issued by third party issuer like VeriSign, godaddy, thwate etc. You might have looked at your browser’s address bar, when you access any site using https it say something verified by VeriSign or verified by thwate etc. 

You can also read SSL and TLS: Designing and Building Secure Systems by Eric Rescorla to understand How SSL works and how to build secure system using SSL.  

How SSL uses Certification for Identification

How this certification works?  when a client (browser) connect to Server using https, Server returns certificates issued by trusted third party issuer, if it’s Java application, it can access certs stored in its keystore and truststore, the browser also has those certificate in his trusted certificate store and validates any certificate presented by server against those. 

If a browser or any Java client, doesn't find those certificates, it can alert you by saying certificates not recognized and recommend you not to visit the site. You can also manually trust any website and ask the browser to include a certificate presented by server in its trusted certificate store. 

This is the case with development when Tomcat returns either self-signed or test certificates. For Java programmers,  JDK comes with a keytool command, which can be used to create self signed certs and store those in keystore and truststore for use.

That’s all on this rather quick overview of SSL, HTTPS and Certifications and How they work together. Purpose of this article was to give at least basic knowledge of how client server communication occurs in secure fashion. If you are developing secure applications in Java programming language, it’s good to have some knowledge of underlying fundamental concepts of SSL, HTTPS and Certificates.

Further Learning
Complete Java Masterclass
Java Fundamentals: The Java Language
Java In-Depth: Become a Complete Java Engineer!


thiru_k said...

useful article

Prem said...

Good basic explanation of SSL. Thanks Javin

raghavendra said...

Good explanation.

Unknown said...

Thanks Dude ...

Praveen said...

Very good introduction...

javin paul said...

@Praveen, thanks for reading this article.

Unknown said...

Thank you this article was easy to understand

Unknown said...

your explanation is amazing, very simple and understandable

Unknown said...

thank you for the article. Could you specify how to create a java client which will accept certificate if does not exist in its trust store.

Unknown said...

Nice explaination thanks :)

Post a Comment