Why is HTTPS more secure than HTTP?
After the TLS/SSL layer is added, all data at the application layer and transport layer are encrypted and decrypted by the security layer to ensure data security
What are the differences between TLS and SSL?
SSL, the predecessor of TLS, has been abandoned. In 1999, IETF standardized SSL and launched TLS 1.0
What is AN HTTPS man-in-the-middle attack and how can it be prevented?
In a man-in-the-middle attack, a middleman steals and forges data between a client and a server by hijacking local requests. The solution is to introduce CA certificate authentication
How does the security layer handshake work?
- The client detects an HTTPS request, generates a random number client_random, and sends a list of client_random and encryption suites to the server (client_HELLO request).
- After receiving client_hello request, the server saves client_RANDOM and sends the selected encryption suite, Service_RANDOM, server certificate, CA certificate to the client (CA certificate can not be returned, otherwise the client will download it from the network separately).
- The client verifies the validity of the certificate, saves service_random, and sends pre_master, a random number encrypted by the certificate’s public key, to the browser for confirmation. Generate the master_secret master key using client_RANDOM, service_RANDOM, and pre_master.
- The browser decrypts the pre_master using its own private key, generates master_secret master key using client_RANDOM, Service_random and pre_master, and sends the master_secret master key to the server for confirmation. The handshake at the security layer is completed, which is used in the subsequent data transmission stage
master_secret
Symmetric encrypted transmission of data.
How does HTTPS verify the certificate validity?
Get the server certificate first
- Verify whether a certificate expires based on the plaintext information of the certificate
- To check whether a certificate is revoked, you can maintain the revoked certificate list or perform online verification
- Verify the digital signature, obtain the basic information of the certificate, and use the hash function provided by the certificate to calculate the information summary A. Decrypt the digital signature using the public key provided by the certificate provider to obtain the information digest B. If A is equal to B, the information has not been tampered. However, this certificate provider may be relatively small and not authoritative, so you need to verify the CA certificate provider until you can find the root certificate provider that signs the intermediate CA provider in the operating system. If no certificate is found, the certificate is invalid and the link becomes a digital certificate chain.
How do I forcibly enable HTTPS
This can be enabled using HSTS (HTTP Strict Transport Security) : When a client makes a request over HTTPS, set the strict-transport-Security field in the HTTP response header returned by the server to enable this function.
Invalid HSTS field set during unencrypted transport.
For example, strict-transport-security: max-age=31536000; IncludeSubDomains said.
- For the next 31536,000 seconds, or a year, when a browser sends an HTTP request to example.com or its subdomain, it must use HTTPS to initiate a connection. For example, users click on hyperlinks or type in the address bar
http://www.example.com
, the browser should automatically convert HTTP to HTTPS and then directly tohttps://www.example.com
Send the request. - During the following year, if the TLS certificate sent by the Example.com server is invalid, users cannot ignore browser warnings and continue to visit the site.