Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

require('https') vs require('tls')

I'm trying to create a very secure connection between client and server using Node.js, Express.js and TLS (1.2).

I think my problem is in understanding what TLS actually is - meaning what is being exchanged, when and how by who.

Anyhow, I'm searching the internet like a nutter (crazy person) to try and figure out following:

  • what does var tls = require('tls'); invoke?
  • what does var https = require('https'); invoke?

I can get tls working when using another node as a client, but in this case the client will be a user in a browser. Can I use both for a browser or only https??

Thanks

like image 702
sidewaiise Avatar asked Jun 11 '14 11:06

sidewaiise


1 Answers

Let's indeed start with what TLS is.

TLS is a way to provide secure connections between a client and a server. It does this by providing a safe way for clients and servers to exchange keys so they can then use public-key cryptography to secure their transmission. The exact mechanism is found here, but it's really not important for this answer.

Now, what is https? Well first, let's talk about HTTP. HTTP is a protocol that defines how web servers and clients talk and exchange web pages or data. Basically, it includes a request from a client and the server responds with a numerical message, headers, and (optionally) a body. If you're familiar with writing web pages, this is obvious.

So now, finally, what is HTTPS? HTTPS is version of HTTP using TLS to secure data. This means that clients and servers can use the same protocol they're used to, wrapped in encryption.

Now, let's talk about these in node.js.

When you use require('tls'), you're only using the encryption layer, without defining the protocol. This will work fine for anything that doesn't expect an exact protocol, such as your other node.js client.

When you use require('https'), you're specifically using HTTP over TLS. The https module is actually a subclass of the tls module! (Oops, actually, the https.Server is a subclass of tls.Server) This means that whenever you're using the https module, you're also using the tls one.

Now, the final question: What does the browser want? If you've been following everything I've said, you can see that the browser wants https. In fact, it's likely that most of the webpages you've visited today has been over https.

like image 53
Avery Avatar answered Nov 09 '22 04:11

Avery