Differences between HTTP and HTTPS
Observe the two pictures above, one is to visit the domain name http://web.4399.com/, Google browser prompts the connection is not secure, the second is to visit the official website of Guangdong Ocean University https://gdou.edu.cn, the browser shows security, why?
1. The history of HTTP and HTTPS
What is the HTTP protocol?
HTTP is a hypertext transfer protocol, a request and response based, stateless, application layer protocol, often used in TCP/IP protocol data transmission, is the most widely used on the Internet a network protocol, all WWW files must comply with this standard. The HTTP protocol was originally designed as a way to publish and receive HTML pages. History of the HTTP protocol
version | Have the time | content | Current situation of the development of |
---|---|---|---|
HTTP / 0.9 | In 1991, | It does not involve data packet transmission and defines the communication format between the client and server. Only GET requests can be used | Not as a formal standard |
HTTP / 1.0 | In 1996, | The format of the transmission content is not limited. The PUT, PATCH, HEAD, OPTIONS, and DELETE commands are added | Formally as a standard |
HTTP / 1.1 | In 1997, | Added persistent connections (long connections), bandwidth saving, Host fields, pipeline mechanisms, block transfer coding | It was most widely used in 2015 |
HTTP / 2.0 | In 2015, | Multiplexing, server push, header compression, binary protocol, etc | Gradually covering the market |
Multiple request-response messages
HTTP Packet Format
2. HTTP VS HTTPS
The characteristics of HTTP
- Stateless: THE HTTP protocol does not store state for the client and has no “memory” for things, meaning that each request is a new client request to the server.
- Connectionless: Prior to HTTP/1.1, due to the stateless nature, each connection required three handshakes and four waves
- Request-based and response-based: The client initiates a request and the server responds
- Plaintext is used in communication, so the request and response will not confirm the communication party and the data integrity cannot be guaranteed
Results analysis:It can be seen that all data transmitted through HTTP is adoptedPlaintext display
Some solutions to statelessness:
- Cookie/Session technology is adopted
- HTTP/1.1 Keep-alive: The TCP Connection is kept as long as either end does not explicitly request disconnection. Connection: keep-alive in the request header field indicates that a persistent Connection is used
The characteristics of the HTTPS
Based on HTTP protocol, SSL authentication mechanism is used to encrypt data, verify the identity of the other party, and protect data integrity
It’s not plaintext transmission
- Content encryption: the use of mixed encryption technology, the middle can not directly view the plaintext information
- Authentication: Authenticates the client to access its own server through a certificate
- Protect data integrity: Prevent transmitted content from being impersonated or tampered with by middlemen
To learn more about HTTPS, you need to know some encryption methods:
Symmetric encryption: The client and server use the same key, so it is called symmetric encryption. There is only one key, that is, the private key. The commonly used symmetric encryption algorithms include DES, AES, and 3DES.
Asymmetric encryption: Encryption and decryption do not use the same key. One is distributed to trusted clients as a public key and the other is stored on the server as a private key. Public key encrypted information, only the private key can decrypt; Only the public key can decrypt the information encrypted by the private key. Common asymmetric encryption algorithms are RSA and ECC
The simplest implementation of asymmetric encryption flow:
hash
HTTPS encryption mode
Hybrid encryption: a combination of symmetric and asymmetric encryption. Client A uses the symmetric key to encrypt the plaintext to form ciphertext 1.0, and then uses the asymmetric public key B to encrypt the ciphertext to form ciphertext 2.0. Client B uses the private key B to decrypt ciphertext 2.0 to obtain ciphertext 1.0, and then uses the symmetric key to decrypt ciphertext 1.0 to obtain plaintext information. Even if intercepted by the hacker, because the hacker does not have the corresponding private key to decrypt ciphertext 2.0, it cannot obtain ciphertext 1.0, let alone plaintext.
Digital Summary: By one-way Hash function to the Hash of the original, will need to encrypt plaintext “Hash” by using a fixed length string of cipher (called digital paper), different expressly the cipher text into the result is always not the same, the same clear using the same Hash function to form clear summary must be consistent, and not even know the Numbers in this paper, the introduction of plaintext.
Digital signature: Digital signature is based on public key encryption technology, combined with hybrid encryption and digital digest technology, the term digital signature, the reason of this technology is to further improve the security of plaintext.
Hybrid encryption process diagram:
Digital signature Process
3. HTTP communication transmission
4. Implementation principle of HTTPS
- The client sends a request to the server for https://baidu.com and then connects to port 443 of the server. The information sent is mainly a random value of 1 and the encryption algorithm supported by the client.
- After receiving the information, the server responds to the client with the handshake information, including the random value 2 and the matched negotiated encryption algorithm. The encryption algorithm must be a subset of the encryption algorithm sent by the client to the server.
- The server then sends the second response packet to the client as a digital certificate. The server must have a digital certificate, which can be made by itself or applied to the organization. The difference is that the certificate issued by the user needs to be authenticated by the client before the user can continue to access the certificate, while the certificate applied by a trusted company does not display a prompt page. The certificate is actually a pair of public and private keys. The certificate is actually a public key that contains a lot of information, such as the certificate issuer, expiration time, the public key of the server, the signature of the third-party certificate Authority (CA), and the domain name information of the server.
- The client parses the certificate, which is performed by TLS on the client. First, it verifies whether the public key is valid, such as the issuing authority and expiration time. If an exception is found, a warning box is displayed indicating that there is a problem with the certificate. If there is no problem with the certificate, a random value (pre-primary key) is generated.
- After the client authentication certificate passes, the session key is then assembled with random value 1, random value 2, and the pre-master key. The session secret key is then encrypted using the certificate’s public key.
- Transmit encrypted information. This part of the transmission is the session secret key encrypted with the certificate. The purpose is for the server to decrypt with the secret key to obtain random value 1, random value 2 and the pre-master key.
- The server decrypts the random value 1, random value 2 and the pre-master key, and then assembles the session key, which is the same as the client session key.
- The client encrypts a message using the session key and sends it to the server to verify whether the server can normally accept the message.
- Also, the server will encrypt a message back to the client using the session key. If the Z client can accept it normally, the SSL layer connection is established.
Refer to the blog: blog.csdn.net/xiaoming100…
If there is infringement, please immediately notify the author, immediately delete this post, only for learning exchange, reprint please explain the source! Welcome to exchange ~