Riiven Threads
HTTPS
The padlock on your browser is one court ruling, one bug, and one nonprofit away from disappearing.
You typed your credit card into a website yesterday and didn't think twice. The reason you didn't is a small padlock icon in your address bar, a symbol that holds together because of five things that almost didn't happen. A 200-year-old math fact. A 1949 science of secrets. A 1976 breakthrough that cryptographers had argued was impossible. A 1996 court ruling that made it legal to ship abroad. A 2016 nonprofit that made it free. Take any one of them away and the padlock is a sticker.
When the fields matured
Each field had to produce a specific result before HTTPS could exist as you know it. This is when they did.
If any of these had failed
What you would lose, field by field. The story of HTTPS is also the story of every near-miss it depended on.
Factoring a 2048-bit RSA key would take a quadrillion CPU-years, over 70,000 times the age of the universe.
Modern key sizes (2048-bit RSA, 256-bit AES) are dimensioned against Shannon's entropy bound, not guesswork
Without public-key crypto, 1 billion users would need ~500 quadrillion pre-shared keys, more than the seconds since the Big Bang.
HTTPS adoption: ~30% of page loads in 2014 (paid CAs only) → ~85% by 2023 after Let's Encrypt made certificates free
36% of HTTPS sites in 2015 could still be downgraded to 1990s export-grade crypto and broken in hours
Pull any thread. The story unravels the same way.
Sorted by maturation year, from the oldest foundation to the newest refinement.
Number Theory
The padlock works because multiplying is easy, but undoing the multiplication is impossibly hard.
Pick two huge prime numbers. Multiply them. A computer does it in microseconds. Now hand the result to anyone in the world and ask them to find the original two primes. Even with every computer on Earth running for centuries, they cannot. That asymmetry is 200 years old, formalized by Gauss in 1801, and it is the actual lock the padlock relies on.
› Go deeper · technical detail
RSA encrypts and decrypts using modular exponentiation: m^(ed) ≡ m (mod n) holds whenever ed ≡ 1 (mod φ(n)). Gauss's Disquisitiones (1801) formalized modular arithmetic; Euler's 1763 totient theorem proves the identity. The security rests on a 200-year-old empirical fact: multiplying two large primes is easy, recovering them from the product is exponentially harder.
Without this field
Without the multiplication-versus-factoring asymmetry, no public-key system based on integer arithmetic is possible. The best classical factoring algorithm (General Number Field Sieve) requires sub-exponential time L_n[1/3, ~1.92]; for a 2048-bit RSA modulus, that is on the order of 10^15 CPU-years. Take that gap away and the padlock becomes a sticker.
Factoring a 2048-bit RSA key would take a quadrillion CPU-years, over 70,000 times the age of the universe.
Information Theory of Secrecy
Before 1949, cryptography was a craft. Shannon turned it into a science with one paper.
Shannon proved when a code is unbreakable, how much randomness a key has to carry, and which kinds of cleverness in cipher design buy real security versus just the appearance of it. Every modern key length, whether 256 bits or 2048 bits, is dimensioned against his bound, not guessed. Without that paper, today's key sizes would be educated folklore.
› Go deeper · technical detail
Shannon's 1949 paper Communication Theory of Secrecy Systems gave cryptography its first mathematical foundation. It defined perfect secrecy, key entropy, and unicity distance, and proved that perfect secrecy requires the key to carry at least as much entropy as the message. Every modern cipher's key-length argument descends from this bound.
Without this field
Pre-Shannon, cryptography was empirical: a cipher was 'secure' until someone broke it. Shannon turned cipher design into a quantitative engineering discipline by separating which complications buy security (key entropy, diffusion, confusion) from which buy nothing (mere obscurity). Without this framework, RSA's 2048-bit keys and AES's 256-bit keys are arbitrary numbers.
Modern key sizes (2048-bit RSA, 256-bit AES) are dimensioned against Shannon's entropy bound, not guesswork
Public-Key Cryptography
Two strangers can agree on a secret out loud, in front of everyone. Until 1976, this was considered impossible.
Diffie and Hellman, in 1976, showed that two people who have never met can shout numbers at each other in public and end up sharing a secret nobody listening can compute. RSA, two years later, made it practical. Without this single move, internet commerce would require every pair of strangers to first meet in person to swap keys. A billion users would need 500 quadrillion handshakes, more than the seconds that have passed since the Big Bang.
› Go deeper · technical detail
Diffie & Hellman's 1976 paper New Directions in Cryptography proposed that two parties could establish a shared secret over a public channel without prior key exchange, a possibility many cryptographers had argued was logically impossible. RSA (Rivest, Shamir, Adleman, 1978) provided the first concrete instantiation. This single conceptual move made internet-scale encryption between strangers feasible.
Without this field
With only symmetric cryptography, every pair of communicating parties needs a pre-shared key delivered out of band by trusted courier. For n parties to communicate pairwise, n(n-1)/2 keys must be exchanged in advance. Internet commerce among a billion strangers becomes a logistical impossibility.
Without public-key crypto, 1 billion users would need ~500 quadrillion pre-shared keys, more than the seconds since the Big Bang.
PKI & Certificate Authorities
The math proves you have a key. It does not prove the key is yours. Someone has to vouch for that, and that someone has to be paid.
When your browser sees a padlock, it isn't trusting the website. It's trusting a third party (a Certificate Authority) that signed the website's key after checking who they are. For 20 years that signature cost money, which is why HTTPS sat at 30% of the web in 2014. Then Let's Encrypt started giving signatures away for free in 2016, and HTTPS jumped past 85% within a few years. The padlock spread because the price of trust collapsed.
› Go deeper · technical detail
RSA proves you possess a private key, but tells you nothing about whose key it is. Certificate Authorities (Verisign 1995, then dozens more, then Let's Encrypt 2016) act as trust intermediaries that sign public keys after verifying identity. The padlock means a CA your browser trusts has signed the server's certificate. Whether that ecosystem exists, who pays for it, and who is liable when it fails are all economic questions the math cannot answer.
Without this field
Without PKI, RSA gives you encryption with someone, but no way to verify who. Man-in-the-middle attacks become trivial. The 1990s web of trust (PGP) failed to scale to consumers; centralized paid CAs got HTTPS to roughly 30% of page loads by 2014. Let's Encrypt (free, automated, ACME protocol, 2016) collapsed the cost barrier and pushed adoption past 85% by 2023.
HTTPS adoption: ~30% of page loads in 2014 (paid CAs only) → ~85% by 2023 after Let's Encrypt made certificates free
Crypto Wars & Export Policy
Until 1996, U.S. law treated strong encryption as a weapon. The padlock you trust today was, technically, a munitions violation.
Through the 1990s, exporting software with keys stronger than 40 bits was illegal. Forty bits was weak enough for a graduate student to break in an afternoon. A federal court ruled in 1996 that source code is protected speech, which broke the legal foundation of the export rules. The math had been ready for two decades. The law had to catch up before HTTPS at modern strength was allowed to leave the country.
› Go deeper · technical detail
Until the late 1990s, U.S. law classified strong cryptography as a munition; software using keys longer than 40 bits could not legally be exported. The Bernstein v. United States ruling (1996) found that source code is protected speech, and successive court and administrative decisions liberalized export controls by 2000. Without this legal turn, browsers shipped abroad were limited to crypto a research student could break in an afternoon.
Without this field
1990s 'export-grade' SSL used 40-bit RC4, which could be brute-forced in roughly three hours on commodity 2015 hardware. The FREAK attack (2015) showed that latent export-crypto code paths could still be triggered to downgrade modern HTTPS connections, affecting an estimated 36% of all HTTPS sites. The padlock at modern strength required winning the legal fight, not just the math.
36% of HTTPS sites in 2015 could still be downgraded to 1990s export-grade crypto and broken in hours
The padlock is less a feature of the internet than a treaty between mathematicians, judges, engineers, and economists who agreed, separately and over two centuries, that strangers should be able to send each other money. The treaty is fragile. One ruling could have made the math illegal in 1996. One nonprofit, started in 2014, is the reason most sites can afford encryption at all. The trust you experience online is a working agreement, kept alive by a few hundred people whose names you will never know.
References
- Disquisitiones Arithmeticae (1801) tier1
Carl Friedrich Gauss (1801). Formalized modular arithmetic and congruences, the algebraic language every modern public-key cryptosystem still speaks.
- Communication Theory of Secrecy Systems (1949) tier1
Claude Shannon, Bell System Technical Journal vol. 28 (1949). The paper that turned cryptography from craft into science; defined perfect secrecy and the entropy bound on keys.
- New Directions in Cryptography (1976) tier1
Diffie & Hellman, IEEE Transactions on Information Theory vol. IT-22 (1976). The paper that proposed public-key cryptography as a category and showed key exchange over an insecure channel was possible.
- Bernstein v. United States Department of Justice (1996) tier1
Northern District of California, 1996; affirmed by Ninth Circuit, 1999. Ruled that cryptographic source code is protected speech under the First Amendment, breaking the legal foundation of the export-control regime.
- Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web (2019) tier1
Aas, Barnes, Case, Durumeric, Eckersley, Flores-López, Halderman, Hoffman-Andrews, Kasten, Rescorla, Schoen & Warren, ACM CCS 2019. The reference paper on the certificate authority that broke the cost barrier of HTTPS deployment.