A brief HTTP crash course:
When people explain how a browser downloads a web page, they usually explain it this way:
- Your browser makes a GET request to a server.
- The server sends a response, which is a file containing HTML.
This system is called HTTP.
But this diagram is a little oversimplified. Your browser doesn't talk directly to the server. That's because they probably aren't close to each other.
Instead, the server could be thousands of miles away. And there's likely no direct link between your computer and the server.
So this request needs to get from the browser to that server, and it will go through multiple hands before it gets there. And the same is true for the response coming back from the server.
I think of this like kids passing notes to each other in class. On the outside, the note will say who it's supposed to go to. The kid who wrote the note will pass it to their neighbor. Then that next kid passes it to one of their neighbors probably not the eventual recipient, but someone who's in that direction.
The problem with this is that anyone along the path can open up the note and read it. And there's no way to know in advance which path the note is going to take, so there's no telling what kind of people will have access to it.
It could end up in the hands of people who do harmful things...
Like sharing the contents of the note with everyone.
Or changing the response.
To fix these issues, a new, secure version of HTTP was created. This is called HTTPS. With HTTPS, it's kind of like each message has a lock on it.
Both the browser and the server know the combination to that lock, but no one in between does.
With this, even if the messages go through multiple routers in between, only you and the web site will actually be able to read the contents.
This solves a lot of the security issues. But there are still some messages going between your browser and the server that aren't encrypted. This means people along the way can still pry into what you're doing.
One place where data is still exposed is in setting up the connection to the server. When you send your initial message to the server, you send the server name as well (in a field called "Server Name Indication"). This lets server operators run multiple sites on the same machine while still knowing who you are trying to talk to. This initial request is part of setting up encryption, but the initial request itself isn't encrypted.
The other place where data is exposed is in DNS. But what is DNS? How D N S Works
This Tutorial is taken from A cartoon intro to DNS over HTTPS