This is the 11th day of my participation in the August More text Challenge. For details, see: August More Text Challenge

Recently, I have been doing a series of summary questions on the front end, interested friends can add attention, welcome correction, communication.

Strive for each knowledge point to be able to sum up some more, at least to do in the interview, for each knowledge point can be kan, not dumb fire.

preface

Through the previous content of learning, I believe you have a certain understanding of the concept of HTTP, characteristics, request methods and cache and other related knowledge, congratulations on the success of the interview on the road to take a solid step!

HTTP has a long history since its inception. In the middle has experienced several major version updates, still strong as before.

But no matter how robust it is, it pales in comparison to the rapid growth of people’s needs, such as a common demand: how can I ensure that my user information (including passwords) will not be compromised if I can transfer money or make payments using online banking?

Since THE HTTP protocol transmits plaintext information, if the HTTP request sent during the payment process is intercepted by an attacker, the user information carried in the request is visible to the attacker, which may bring serious security risks.

Obviously, to solve this problem, it is not simple to add attributes to the HTTP protocol, in this case, we today’s hero – HTTPS came into being.

HTTPS

HyperText Transfer Protocol Secure (HyperText Transfer Protocol Secure) is commonly referred to as HTTP over TLS, HTTP over SSL, or HTTP Secure.

Remember that? HTTP is called Hypertext Transfer Protocol, and you can get a sense of the difference by comparing the full Chinese name HTTPS.

HTTPS is a transport protocol for secure communication over computer networks. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. The main purpose of HTTPS development is to provide identity authentication for web servers and protect the privacy and integrity of exchange data. The protocol was first proposed by Netscape in 1994 and later extended to the Internet.

Strictly speaking, HTTPS is not a separate protocol, but rather a name for the regular HTTP protocol that works over an encrypted connection (TLS transport layer security) or SSL.

Historically, HTTPS connections have been used to pay for transactions on the World Wide Web and to transfer sensitive information in enterprise information systems. In the late 2000s and early 2010s, HTTPS became widely used to ensure that all types of web pages were authentic, to protect accounts and to keep users’ communications, identities and web browsing private. So, most of the applications we see today implement HTTPS.

role

The primary role of HTTPS is to create a secure channel over an insecure network and provide reasonable protection against eavesdropping and man-in-the-middle attacks when properly encrypted packets and server certificates can be verified and trusted. The functions are as follows:

  • Data confidentiality: Ensure that data contents are not viewed by third parties during transmission. Like a Courier delivering a package, they’re all wrapped up so no one knows what’s inside.
  • Data integrity: timely detection of transmitted content tampered with by third parties. Like the Courier who doesn’t know what’s in the package, but he might switch the package, data integrity means that if the package is switched, we can easily detect it and reject it.
  • Identity verification security: ensures that the data reaches the desired destination. Just like when we send a package, even though it is a package that has not been switched, we have to make sure that the package is not sent to the wrong place, through identity verification to ensure that it is sent to the right place.

To sum up, HTTPS provides identity authentication to the web server and protects the privacy and integrity of the exchanged data.

The working process

HTTPS works on TCP port 443 by default, and its workflow is generally shown in the following figure:

  1. TCP Three-way synchronous handshake.
  2. The client verifies the digital certificate of the server.
  3. The DH algorithm negotiates the key of the symmetric encryption algorithm and the hash algorithm.
  4. The SSL encryption tunnel negotiation is complete.
  5. The web page is transmitted in encrypted mode, encrypted by symmetric encryption algorithm and key negotiated to ensure data confidentiality; The negotiated hash algorithm is used to protect data integrity from being tampered with.

advantages

Although HTTPS is not absolutely secure, and organizations with root certificates and encryption algorithms can also carry out man-in-the-middle attacks, HTTPS is still the most secure solution under the current architecture. It has the following benefits:

  • The HTTPS protocol authenticates users and servers, ensuring that data is sent to the correct client and server.
  • HTTPS is a network protocol based on SSL and HTTP for encrypted transmission and identity authentication. It is more secure than HTTP and prevents data from being stolen or changed during transmission, ensuring data integrity.
  • HTTPS is the most secure solution under the current architecture, and while not absolutely secure, it dramatically increases the cost of man-in-the-middle attacks.
  • Google tweaked its search engine algorithm in August 2014 and said that “HTTPS encrypted sites will rank higher in search results than their HTTP counterparts.”

disadvantages

While HTTPS has a lot of advantages, it has some relative drawbacks:

  • The HTTPS handshake phase is time-consuming, increasing page load times by nearly 50% and power consumption by 10% to 2%.
  • HTTPS connection caching is less efficient than HTTP, increasing data overhead and power consumption, and even affecting existing security measures.
  • SSL certificates cost money, the more powerful the certificate fee is higher, personal sites, small sites do not need to generally do not use.
  • SSL certificates usually need to be bound to IP addresses, and cannot be bound to multiple domain names on the same IP address. IPv4 resources cannot support this consumption.
  • The HTTPS protocol also has a limited range of encryption, making it almost useless for hacking, denial of service attacks, and server hijacking. Crucially, the credit chain system for SSL certificates is not secure, especially in cases where countries can control the CA root certificate, and man-in-the-middle attacks are also possible.

conclusion

This is an overview of HTTPS. I hope it will help you!

~

Thanks for reading!

~

Learn interesting knowledge, make interesting friends, and create interesting souls!

Hello everyone, I am the author of “programming Samadhi” Hermit King, my public number is “programming Samadhi”, welcome to pay attention, I hope you can give me more advice!

You come, with expectations, I have the ink to greet! You return, regardless of gain and loss, only with aftertaste!

Both knowledge and skill, internal force and external work, both theory and practice should grasp, both hands should be hard!