Bits to Browsers: Mapping the OSI Journey
To understand how a webapp loads,
imagine the OSI Model as a construction project where each
floor depends on the one below it. When you type a URL and hit enter, your data
travels "down" the layers on your computer, across the wire, and back
"up" the layers on the server.
1. Application Layer (Layer 7) - “Request"
This is where HTTPS lives.
Your browser (the client) prepares a message like GET /index.html. At this
stage, the data is just plain text. It doesn't know about security or delivery
yet; it just knows what it wants from the webapp.
2. Presentation Layer (Layer 6) - “Encryption" (TLS)
In the modern web, TLS (Transport
Layer Security) acts as the Presentation Layer.
· Handshake: Before
any data moves, the browser and server perform a "secret handshake"
to agree on encryption keys.
· Encryption: Your
plain GET request is scrambled into unreadable ciphertext. If anyone
sniffs your Wi-Fi now, they just see gibberish.
3. Session Layer (Layer 5) - “Connection Management"
This layer manages the
"dialogue" between your browser and the webapp. It keeps the
connection open while you're browsing and ensures that if the connection drops,
it can be resumed without starting the whole encryption handshake from scratch.
4. Transport Layer (Layer 4) - “Reliability" (TCP)
Now we hit TCP. This
layer is the "delivery manager."
· Segmentation: It
breaks your encrypted data into smaller "segments."
· 3-Way
Handshake: TCP ensures the server is ready by sending a SYN packet,
receiving a SYN-ACK, and sending back an ACK.
Error Checking: It assigns a sequence number to every segment. If a
piece of the webapp goes missing, TCP notices and asks the server to "send
that piece again."
5. Lower Layers (Layers 3, 2, & 1) - “Transit"
· Network
Layer (Layer 3): Adds IP addresses (Source: You,
Destination: Webapp Server) so routers know where to send the packets.
· Data
Link Layer (Layer 2): Handles the physical hardware addresses (MAC
addresses) to move data from your laptop to your router.
· Physical
Layer (Layer 1): Converts everything into electrical signals,
light pulses (fiber), or radio waves (Wi-Fi).
Flow:
When you click a button on a
webapp:
1.
HTTPS (L7) creates the message.
2.
TLS (L6) encrypts it.
3.
TCP (L4) manages the delivery and
ensures no data is lost.
4.
IP/Hardware (L3-L1) moves the bits
across the internet.
Here is the 7-layer stack from top
to bottom:
|
Layer |
Name |
Keyword |
What it
does in one sentence |
|
7 |
Application |
Browser |
Where you
(the human) interact with the webapp. |
|
6 |
Presentation |
Encryption |
Scrambles the
data (TLS) so it stays private. |
|
5 |
Session |
Dialogue |
Starts,
stops, and restarts the "conversation." |
|
4 |
Transport |
Reliability |
Ensures every
piece (TCP) arrives in order. |
|
3 |
Network |
Routing |
Uses IP
addresses to find the best path. |
|
2 |
Data Link |
Switching |
Moves data
between local hardware (MAC addresses). |
|
1 |
Physical |
Cables |
The actual
wires, light, or Wi-Fi signals. |
Unit of data (from the wire up to your eyes):
|
Layer |
Name |
Keyword
(Unit) |
|
7 |
Application |
Data (The
actual web content) |
|
6 |
Presentation |
Data (Formatted/Encrypted) |
|
5 |
Session |
Data (The
logical connection) |
|
4 |
Transport |
Segments (TCP
chunks) |
|
3 |
Network |
Packets (IP
addresses) |
|
2 |
Data Link |
Frames (MAC
addresses) |
|
1 |
Physical |
Bits (1s
and 0s) |
HTTPS typically uses the TCP (Transmission Control Protocol)
at its transport layer. However, the latest version of the protocol HTTP/3,
runs over UDP (User Datagram Protocol) via a newer transport
protocol called QUIC.
Transport Layer Breakdown
· HTTPS
(HTTP/1.1 & HTTP/2): These standard versions rely on TCP for
reliable, ordered, and error-checked data delivery. TCP ensures that every byte
of a webpage arrives correctly.
· HTTPS
(HTTP/3): This modern version uses QUIC, which is built on top
of UDP. It is designed to be faster than TCP by reducing the time
needed to establish a secure connection.
Comparison Table
|
Feature |
HTTPS over
TCP (HTTP/1.1, HTTP/2) |
HTTPS over
UDP/QUIC (HTTP/3) |
|
Transport
Protocol |
TCP (Transmission
Control Protocol) |
UDP (via
QUIC) |
|
Reliability |
Built-in via
TCP |
Built into
QUIC (despite using UDP) |
|
Primary
Goal |
Reliability
and strict ordering |
Speed and
reduced latency |
|
Port |
Default Port
443 |
Default Port
443 |
While the core UDP protocol is "unreliable" (it doesn't check for lost packets), QUIC adds its own reliability features on top of UDP so that it can safely handle secure web traffic.
OSI & Cloud Service Map
|
OSI Layer |
Name |
Data Unit
(PDU) |
Core Services
& Protocols |
Cloud-Specific
Components |
|
7 |
Application |
Data |
HTTP/S, DNS,
DHCP, SSH, SMTP, FTP, SNMP, BGP, Telnet |
ALB (App Load
Balancer), API Gateway, WAF (Web App Firewall), Route 53 |
|
6 |
Presentation |
Data |
TLS, SSL,
MIME, JPEG, MPEG, Encryption, Compression |
AWS
Certificate Manager (ACM), Azure Key Vault (Encryption at Rest/Transit) |
|
5 |
Session |
Data |
RPC, NetBIOS,
NFS, Sockets, Session Setup/Auth |
Sticky
Sessions (Load Balancer feature), IAM Session Tokens |
|
4 |
Transport |
Segments
(TCP) / Datagrams (UDP) |
TCP, UDP,
QUIC, Port Numbers (80, 443, 22), SSL-VPN |
NLB (Network
Load Balancer), Security Groups (L4 filtering), VPN Gateways |
|
3 |
Network |
Packets |
IP (IPv4/v6),
ICMP (Ping), IPsec, IGMP, RIP, OSPF |
VPC, Virtual
Network (VNet), ExpressRoute, Direct Connect, Transit Gateway |
|
2 |
Data Link |
Frames |
ARP, MAC
Addresses, VLAN, Ethernet, L2-Switching |
Elastic
Network Interface (ENI), VPC Peering (logical L2), MAC Address Tables |
|
1 |
Physical |
Bits |
Cables, Fiber
Optics, Wi-Fi Signals, Hubs, NICs |
Cloud
Region/AZ Infrastructure, Physical Data Centers, Bare Metal Instances |
QUIC (Quick UDP
Internet Connections) is a modern transport layer protocol designed
to make the internet significantly faster and more secure. It was originally
created by Google in 2012 and was officially standardized by
the IETF (Internet Engineering Task Force) in 2021.
Why QUIC "Matters" Now
Traditional internet traffic
(HTTP/1.1 and HTTP/2) relies on TCP, which was designed decades ago
for a much slower, less reliable web. QUIC solves several modern problems:
· Faster
"Handshakes": In the past, your browser had to perform separate
"hellos" for the connection (TCP) and the security (TLS). QUIC
combines these into a single step, meaning data starts flowing almost
immediately.
· No
"Head-of-Line" Blocking: On a standard connection, if one small
packet (like a tiny image piece) gets lost, the entire page
stops loading until it's fixed. QUIC treats different parts of a page as
independent streams; if one image packet drops, the rest of the site keeps
loading.
· Better
Mobile Roaming: Since QUIC uses a unique Connection ID rather
than your IP address, your connection doesn't "break" when you switch
from Wi-Fi to cellular data. Your video stream or call can continue seamlessly.
· Security
by Default: Unlike TCP, which can be unencrypted, QUIC requires encryption
via TLS 1.3. You cannot have a "plain" QUIC connection.
Current Status (2024–2026)
· Widespread
Adoption: As of late 2025, approximately 36% of all websites use
HTTP/3 over QUIC. Large platforms like YouTube, TikTok, Facebook,
and Netflix already use it for the majority of their traffic.
· Browser
Support: It is enabled by default in all major browsers, including Chrome, Firefox, Edge,
and Safari.
· Beyond
the Web: It is beginning to replace older protocols in other areas, such
as SMB over QUIC (for faster file sharing without a VPN)
and DNS-over-QUIC (for private web searches).
Firewall Logic: Layers, Ports,
and "Implicit Deny"
To pass this question, you must
demonstrate that you understand Encapsulation. A firewall doesn't
just see "a website"; it sees a stack of protocols.
1. Core Concept: The Dependency
You cannot have HTTP/HTTPS without
TCP.
· HTTP is
the "Letter" (Application Layer).
· TCP is
the "Envelope" (Transport Layer).
· If
you ban all envelopes (TCP), the letter (HTTP) can never be delivered.
2. How the Firewall "Thinks" (Rule Order)
Firewalls read rules from top to
bottom. To secure a network while allowing web browsing, you follow the Principle
of Least Privilege.
The Winning Rule Set:
|
Priority |
Action |
Protocol |
Port |
Description |
|
1 |
ALLOW |
TCP |
80 |
Permits HTTP (Unencrypted
Web) |
|
2 |
ALLOW |
TCP |
443 |
Permits HTTPS (Encrypted
Web/TLS) |
|
3 |
DENY |
TCP/UDP |
ALL |
The "Catch-All" (Blocks
everything else) |
3. "Catch" Explained:
TCP vs. UDP
In an interview, mention these two
nuances to stand out:
· Implicit
Deny: If your last rule is "Deny All TCP/UDP," you have
effectively blocked every other service like Email (SMTP), File Transfer (FTP),
and even modern HTTP/3 (because HTTP/3 uses UDP port
443, not TCP).
· Stateful
Inspection: A modern firewall doesn't just open a port; it tracks the
"state" of the connection. It remembers that you asked
for the website, so it allows the web server to send data back to you without
needing a separate "Allow" rule for the return traffic.
4. "Interview Killer" Answer (Memorize This)
Question: "How
would a firewall handle HTTP/HTTPS vs TCP/UDP flow?"
Your Answer:
"A firewall handles this by
looking at the Transport Layer (Layer 4) to manage the Application
Layer (Layer 7). Since HTTP and HTTPS are TCP-based, the firewall doesn't
'block HTTP' directly; it filters the TCP traffic on specific ports.
To set this up, I would implement
a White-list approach:
1.
First, I’d create rules to Allow TCP
traffic on Port 80 and Port 443.
2.
Then, I’d implement a Final Deny Rule for
all other TCP and UDP traffic.
This ensures that the webapp works,
but all other 'doors' are locked. However, I’d also keep in mind that if the
app uses HTTP/3, I would specifically need to allow UDP
Port 443 as well, since HTTP/3 shifts away from TCP."
5. Quick Reference Cheat Sheet
· HTTP: TCP
Port 80 (Data = Cleartext)
· HTTPS: TCP
Port 443 (Data = Encrypted via TLS)
· HTTP/3: UDP Port
443 (The new standard)
· Rule
Logic: Specific "Allows" first, General "Deny"
last.
Pro Tip: If Interviewer
asks "Why not just block UDP?" remind them that DNS (which
turns google.com into an IP address) usually runs on UDP Port 53.
If you block all UDP, your browser won't even find the server!