What Happens When You Type a URL in a Browser and Press Enter?

-

There is just so much to unpack if you really get into the details. Others online have already done a great job answering this question with minute details I wouldn't have even thought to include in this post had I not discovered their work (see the explanation of keystrokes being entered on a USB keyboard and the related circuitry vs a capacitive touchscreen) so I'm not going to try to out-detail a 70+ person collaborative effort.

Instead here are some of the things I like to highlight when answering this question along with parts I've had to educate myself on (browser rendering steps, parsing JS and CSS, various trees, and that end of the flow were really interesting to read about as I don't usually have exposure to them).

Credit: @manekinekko

This graphic does a fantastic job detailing the flow of information that occurs when someone enters a URL in a browser and presses enter. For more information click on each of the steps below:

  1. URL is entered.
  2. DNS lookup occurs.
  3. Once IP address is determined a TCP connection is made (usually over port 443 or 80) via the TCP/IP 3-way handshake.
  4. HTTP request is made for the website.
  5. Web server responds with their HTML website plus any other code used on their site (CSS, JS, anything but Adobe Flash, etc).
  6. The browser renders the webpage -- parsing, DOM, CSSOM, and more.

Some things this graphic doesn't show but I like to discuss are:
  • How does the browser/computer know how to get to a DNS server? How does this differ between a computer that's been on the network for a year vs a brand new computer on the network?
  • Local DHCP, DNS, HOSTS file. How does the computer have an identity on the local network let alone the Internet?
  • Network Address Translation's (NAT) role in sending and receiving traffic from the web server.
  • Address Resolution Protocol's (ARP) role in forming frames and packets to get out of the local network.
  • Web proxies, stateful and stateless firewalls, TLS/SSL, and public-key cryptography.
  • Browser/session cookies, geolocation detections, and compliance requirements such as GDPR.

This of course doesn't even begin to get into the various security vulnerabilities along the way and how to best mitigate them.

It really is a feat of human engineering that all this works as well as it does as fast as it does and we carry it around in our pockets often without a second thought!

If you'd like me to expand on any of the steps above feel free to reach out or comment below and let me know!

References & Extras

  • https://github.com/alex/what-happens-when#
  • https://twitter.com/kamranahmedse/status/1297131414190776320

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more