With the development of the Internet for more than 20 years, everyone is used to typing HTTP urls into browser addresses. However, in the last two years, HTTPS has gradually replaced HTTP as the new darling of the transport protocol world.
As early as 2014, the “Let’s Encrypt” project operated by Internet Security Research Group(ISRG) was established to promote HTTPS for websites around the world. In June, Apple also required all IOS Apps to use HTTPS by the end of 2016; In November, Google also announced that starting in January, it would flag any website that was not properly encrypted as “unsafe.”
Solution: https://github.crmeb.net/u/demo
Last year, Taobao, Tmall also launched a huge scale of data “migration”, the goal is to switch millions of pages from HTTP to HTTPS, Internet encryption, trusted access.
More secure, more trusted, is the biggest meaning of the “S” after HTTP. HTTPS uses the SSL/TLS protocol on the basis of HTTP to verify the identity of the server and establish an SSL encryption channel between the client and server to ensure that user data is encrypted during transmission and prevent the server from being impersonated by phishing websites.
Why is HTTP obsolete? Many Internet users may not understand why their access behavior and private data are known, and why they ended up on a phishing site when they entered their domain name correctly. In the Internet world, security incidents such as data leakage, data tampering, traffic hijacking and phishing attacks occur frequently.
In the future, the Internet network links are increasingly complex, which aggravates the occurrence of security incidents. It could be the hacker sitting at the next table at Starbucks sniffing out passwords, or the home router allowing email to be tapped, or the Internet service provider secretly injecting advertising. All this was caused by the HTTP transport protocol that was open to free interconnection at the beginning of the Internet.
HTTP data streaks across the network
The defect of HTTP plaintext protocol is an important cause of security problems such as data leakage, data tampering, traffic hijacking, phishing attacks and so on. HTTP cannot encrypt data, and all communication data is streaked in plaintext on the network. Through network sniffer devices and some technical means, HTTP message content can be restored.
Web tampering and hijacking are everywhere
Tampering with webpage push advertisements can seek commercial benefits, while stealing user information can be used for precise promotion or even telecom fraud. The grey industrial chain living on traffic hijacking and data trafficking is mature and complete. Of the billions of data requests made each day, it is inevitable that a small fraction of traffic, not to mention other micro-sites, will be hijacked or tampered with, even by reputable Internet companies with sophisticated technology.
Smart phones are widespread, and WIFI access has become normal
The spread of WIFI hotspots and the addition of mobile networks magnify the risk of data hijacking and tampering. The incident of Starbucks and home router mentioned at the beginning is a very interesting example.
Free networks cannot authenticate web sites
HTTP protocol can not verify the identity of the communication party, anyone can forge a fake server to deceive users, to achieve “phishing fraud”, users can not detect.
HTTPS, what’s strong about it? We can greatly reduce the above security risks through HTTPS.
Browser display effect after various certificates are deployed.
Free SSL Digital Certificate (IE, Chrome)
OV SSL Digital Certificate (IE, Chrome)
EV SSL Digital Certificate (IE, Chrome)
The world is turning its back on HTTPS and the browser is giving HTTP pages a red card
Major browsers such as Google and Firefox will warn against HTTP pages. Firefox will warn against “submit your password using non-HTTPS” with a red block icon; Google Chrome plans to flag all HTTP sites with “Not Secure” notation.
For the average user, if the site is identified in this way, it may directly give up visiting.
The apple iOS forcibly enables the ATS standard
Apple has announced that starting January 1, 2017, all apps submitted to the App Store must have App Transport Security enabled and all connections must be encrypted using HTTPS. Including Android also put forward HTTPS requirements.
The HTTP/2 protocol supports only HTTPS
Chrome, Firefox, Safari, Opera, Internet Explorer, and Edge all require HTTPS to encrypt connections to use HTTP/2.
HTTPS improves search rankings
Google announced back in 2014 that it would make HTTPS an important factor in search rankings and index HTTPS pages first. Baidu also announced that open included HTTPS site, the HTTP version of the same domain name and HTTPS version for a site, priority included HTTPS version.
The US and UK mandate HTTPS for all government websites
The United States government requires all government websites to be website-wide HTTPS by December 31, 2016. As of July 15, 2016, 50% of government websites had achieved website-wide HTTPS. The UK government is requiring all government websites to be mandatory with site-wide HTTPS from 1 October 2016. It also plans to submit service.gov.uk to the browser manufacturer’s HSTS preload list, so government service websites can only be accessed through HTTPS.
Super permission applications prohibit HTTP connections
If you use an insecure connection to access certain browser functions, such as geo-location applications, application caching, and accessing user media, Google Chrome will block access. Starting with Google Chrome 50, geolocation apis for Web applications that do not use HTTPS will not work.
Many site owners believe that only login pages and transaction pages need HTTPS protection, but in fact, site-wide HTTPS is the best way to ensure secure and secure transmission of all user data. When HTTPS is deployed locally, there is still a risk of hijacking in the process of HTTP jumping or redirecting to HTTPS [1].
Case 1: Switch from the HTTP page to the HTTPS page
In fact, it’s rare to go directly to an HTTPS site on a PC. For example, most of alipay’s websites are redirected from Taobao. If Taobao uses the insecure HTTP protocol and injects XSS into Taobao’s pages to block access to pages that redirect to HTTPS, users will never be able to enter the secure site.
Security: How Bad Can Traffic Hijacking Be?
Even though the address bar doesn’t say HTTPS, the domain name looks correct, and most users assume it’s not a phishing site and ignore it. In other words, as long as the entry page is insecure, it doesn’t matter how secure the subsequent pages are.
Case 2: The HTTP page is redirected to the HTTPS page
Some users access a website by typing in the url. They type www.alipaly.com and hit Enter to enter. However, the browser does not know that this is an HTTPS site and uses the default HTTP to access it. However, the HTTP version of Alipay does exist, and its only function is to redirect to its own HTTPS site. Middlemen who hijack traffic detect a redirect to an HTTPS site, block the redirect command, retrieve the redirected site content themselves, and then reply to the user. As a result, the user is always on the HTTP site and can be hijacked indefinitely.
Security: How Bad Can Traffic Hijacking Be?
The whole site HTTPS can ensure that users access the website HTTPS encryption, not to middleman jump hijacking opportunities. The overseas each big famous website (PayPal, Twitter, Facebook, Gmail, Hotmail, etc.) through the Always on SSL (total station HTTPS) technical measures to ensure the safety of the user’s confidential information and trade, to prevent session hijacking and middle attack. [2]
Protect the Entire Online User Experience: With Always On SSL
So the question is, why is IT that over half of the world’s web sites still use HTTP when HTTPS is so great?
First of all, many people still feel that there is a threshold to HTTPS implementation, which is the need for an SSL digital certificate issued by an authoritative CA. In traditional mode, the selection, purchase, and deployment of certificates are time-consuming and labor-intensive. Currently, mainstream CSPS integrate SSL certificates from multiple certification authorities, making the deployment process relatively easy. The phenomenon of non-HTTPS due to inconvenience and barriers is also expected to ease.
The second is performance. HTTPS is generally believed to have a higher performance cost than HTTP. This is not the case, and users can solve this problem by optimizing performance and deploying certificates on SLB or CDN. For example, during “Double Eleven”, HTTPS taobao and Tmall still ensure smooth and smooth operation of accessing, browsing and trading on websites and mobile terminals. Many of the optimized pages performed as well or even slightly better than HTTP, so HTTPS is not slow after optimization.
Finally, safety awareness. Compared with The domestic Internet industry, the security awareness and technology application in foreign countries are relatively mature, and the HTTPS deployment trend is jointly promoted by the society, enterprises, and the government. However, HTTPS is also expected to benefit more Internet users as the country’s online security, network security and P2P regulation become more widespread.
More free welfare source resources to download address: github.crmeb.net/u/demo