This is the 8th day of my participation in Gwen Challenge


preface

Interviewer: Talk about HTTP and HTTPS. So how is HTTPS encrypted?

I: 🔥…


The basic concept

HTTP

One of the most widely used Internet networks protocol, hypertext transfer protocol, is a based on the request and response, stateless, application layer protocol, often based on TCP/IP protocol to transmit data, is a client and server standard request and response (TCP), used for transmitted from WWW server hypertext transfer protocol to the local browser, It can make browsers more efficient and reduce network traffic.

HTTPS

The HTTP channel aims at security. In short, it is the secure version of HTTP, that is, SSL layer is added under HTTP. The security foundation of HTTPS is SSL, so the details of encryption need SSL. The HTTPS protocol has two main functions. One is to establish an information security channel to ensure the security of data transmission. Another is to verify the authenticity of the site.


The difference between

Data transmitted through HTTP is unencrypted, that is, plaintext. Therefore, it is very insecure to use HTTP to transmit private information. To ensure that these private data can be encrypted, Netscape designed SSL protocol to encrypt data transmitted through HTTP, thus giving birth to HTTPS. To put it simply, HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identities. It is more secure than HTTP.

  • HTTP is the hypertext transfer protocol, the message isClear transmissionHTTPS is secureSSL encrypted transport protocol.
  • HTTP and HTTPS use completely different connection methods and use different ports, HTTP is 80 and HTTPS is 443.
  • HTTP connections are simple and stateless (they can be solved by cookies);
  • HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identity. It is more secure than HTTP.

How HTTPS works

Steps:

  1. The customer accesses the Web server using the HTTPS URL and requires an SSL connection to the Web server.
  2. After receiving the request from the client, the Web server sends a copy of the certificate information (including the public key) of the website to the client.
  3. The client’s browser and the Web server begin to negotiate the security level of the SSL connection, that is, the level of information encryption.
  4. The browser on the client establishes the session key according to the mutually agreed security level, then encrypts the session key using the website’s public key and transmits it to the website.
  5. The Web server decrypts the session key using its own private key.
  6. The Web server uses the session key to encrypt communication with the client.

Principle analysis: in essence, symmetric and asymmetric encryption methods are used to encrypt data through symmetric encryption, and symmetric encryption key encryption through asymmetric encryption.

Knowledge development – Symmetric and asymmetric encryption
  • Symmetric encryption: Use the same secret key for encryption and decryption (common: DES, 3DES, AES).
    • Excellent: open algorithm, small amount of calculation, fast encryption speed, high encryption efficiency
    • Lack: not safe enough
  • Asymmetric encryption: different from symmetric encryption algorithms, asymmetric encryption algorithms require two keys: a publickey and a privatekey. (Common: RSA, DSA (for digital signature))
    • Optimal: safety
    • Lack: slow speed

HTTPS shortcomings

  • Multiple HTTPS handshakes prolong the page loading time by nearly 50%.
  • HTTPS connection caching is not as efficient as HTTP, which increases data overhead and power consumption.
  • Applying for an SSL certificate costs money, and more powerful certificates cost more.
  • The security algorithms involved in SSL consume CPU resources and server resources.