HTTPS came to this world for three things! Safe, safe, and fucking safe!

It’s not a safe world

  • To get anything done over the Internet, you need to make a series of HTTP requests that end up being sent to a server thousands of miles away.

  • However, in the HTTP era, Wireshark and other various packet capture software can record all communication packets and analyze the data, you will find that your account number, password, most of the information in plain text information flow on the Internet! It’s not a safe world!

  • Your links may have been tampered with, your pages may be riddled with maliciously embedded ads from intermediary services, you may have exposed your bank account and password when visiting phishing pages…

  • If you use chat to simulate something like this:

    > hi nuggets, my account is CZKM, has anyone called me today? "> < p style =" max-width: 100%; clear: both; Xiao Hong is looking for you, the content is "today is Friday, leave work early".Copy the code

  • That would be fine, but there is a third party, like the letter ✉️, which you deliver not directly to others, but through the postman.

  • The HTTP request you make also travels through layers of routing. In the middle through layers of network forwarding, it is our postman, finally send the letter ✉️ to the server there. The same goes for the server’s response. This exposes at least three shortcomings.

    1. May be bugged Because the transmission is in clear text, all third parties can see it. Well, now the mailman knows your name is CZKM and knows the message that Xiao Hong sent you.
    2. Authentication problemI got a reply, but was it really the nuggets sending it to you. Is it possible that the mailman didn’t get the nuggets message and gave you the wrong time on purpose?
    3. May be tampered withWas the content you received complete. Now you get “It’s Friday, leave work early,” but maybe some prankster has added something to it and it becomes “It’s Friday, but I have to work late!” The original meaning has been changed.

A new technology must be invented to solve some kind of problem

  • Our savior HTTPS is here! It came here and did three main things

  1. Data encryptionHTTPS encrypts data to protect it from eavesdroppers. This means that when a user is browsing a website, no one can listen to the exchange of information between the user and the website, or track the user’s activities or access history to steal user information.
  2. Data consistency, data will not be altered by eavesdroppers in the process of transmission, data sent by users willcompleteTo ensure that the server receives what the user sends.
  3. The identity authenticationTo verify the true identity of the other party, it prevents man-in-the-middle attacks and builds user trust.

  • HTTPS is HTTP with a layer of SSL, SSL, or secure sockets layer, later changed to TLS or something like this: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 by key exchange algorithm — signature algorithm — symmetric encryption algorithm Abstract: Algorithm composition

  • Let’s use chat again, which looks something like this:

    > hi nuggets, my account is CZKM, has anyone called me today? I will use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 algorithm, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm,...... You pick one; Then I also generated a random number, 1234 (Client random)Copy the code

    Contains (websites to visit, algorithms I support, random numbers I generate)

    > < p style = "max-width: 100%; clear: both; min-height: 1emCopy the code

    Contains (both parties agree on an algorithm, certificate of the required site, random number generated by the site)

  • From this exchange you have a certificate filled with documents and details that you can view directly in your browser.

In fact, there are only four contents in this certificate:

  1. Which or which website the certificate is issued to
  2. The beginning and end of the validity period of the certificate
  3. A public key
  4. Issued by the

So how do we know it’s a credential?

The first user, *.juejin. Cn, is a wildcard domain name, meaning it is valid for all juejin. We are indeed visiting the domain name under juejin. Cn, credible.

The second term, expiration date, is also easy. You look up the date on your computer, September 1, 2021, and the expiration date is August 24, 2022. Okay, credible.

The third public key, save the public key.

You only know that this certificate is issued by a person called RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1. So how do we know he’s trustworthy?

  • We can see that the certificate actually consists of three parts.
  • RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1To ensure the*.juejin.cnThe certificate is valid
  • DigiCert Global Root CATo ensure theRapidSSL TLS DV RSA Mixed SHA256 2020 CA-1The certificate is valid
  • Browser full trustDigiCert Global Root CA

In this way, the dolls can ensure the validity of each certificate.

Encryption Experience

In the first communication with the nuggets, you obtained the public key in the certificate, as long as you master the method, then only the certificate owner can use the private key to open, that is to say, the data you send to the nuggets are encrypted, so how did he do it?

  • After you verify that the certificate is valid, you create a new random number(Premaster secret)And uses the public key in the digital certificate to encrypt the random number and send it out.
  • Now, when you post a request online, it’s no longer a piece of paper, it’s wrapped in an envelope. No one else on the web can see it; If the Nuggets successfully receive the letter and decrypt the envelope using their own private key. thenPremaster secretIt was successfully delivered.
  • The nuggets and I agreed according to our termsTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256Encryption method, using the first three random numbers, generate “session key” (session key), and then encrypt the whole process of the next conversation.With all of your chats open and transparent, you successfully exchanged passwords.

  • The nuggets will then return data using session keys that no one else can decrypt while communicating with each other.

HTTPS solves the first three problems

  1. It can be intercepted and it’s encrypted with a conversation key, no longer in clear text so the other person doesn’t know what you’re talking about.

  2. Authentication Problem The trust chain of the certificate guarantees the credibility of the “public key” in the certificate, and the matching of the public key and private key also proves the identity of the gold digger.

  3. Potentially tampered communications are encrypted using the conversation key and cannot be tampered with if they cannot be read.

HTTPS is everywhere

  • To supportHTTPSWebsite, mostly rightHTTPA jump was made. When visiting nuggets, if directly in the browser typehttp://juejin.cn/, the browser will automatically jump tohttps://juejin.cn/It usually returns 301 to redirect us to the HTTPS url

Coach, I need HTTPS, too

What if I’m an individual developer and I have my own credentials for my own site?

  • First, there is no “quality” or “level” of SSL certificates, only three different onestypeYou need to apply to a CERTIFICATE Certification Authority (CA)
    1. Domain name SSL certificate (DV SSL) : The trust level is ordinary, only need to verify the authenticity of the website
    2. Enterprise SSL certificate (OV SSL) : strong trust level, need to verify the identity of the enterprise, higher security
    3. Enhanced SSL certificate (EV SSL) : The highest trust level, generally used in banks and securities and other financial institutions, the highest security, and can activate the green url bar.
  • For individual developers such as bloggers, you can use the free certificates provided by Let’s Encrypt.

Security is always relative

  • HTTPSSecurity is relative security, not becauseHTTPSThe existence of think their information will never leak, there is no absolute security of the Internet data, security is always relative.
  • HTTPSEnough security is built onCAOn the basis of trust, many CA organizations do not manage their encryption keys well, leading to the key is obtained by hackers, hackers can easily decrypt the data.
  • SSLThe certificate encrypts only the data in transit, not other data, for examplecookieandsessionAnd so on,SSLThe certificate does not encrypt it. For example, the website record page is usedHTTPSBut after login, other pages are usedHTTP. At this momentHTTPSBuilt in the environmentcookieIn thesession, but inHTTPTransmission in the environment creates the possibility of leakage.