This is the sixth day of my participation in Gwen Challenge

The disadvantage of HTTP

Communications use clear text (not encryption) and the content can be eavesdropped

All objects in the network can be eavesdropped

No matter which corner of the server in the world, when communicating with the client, some network equipment, optical cable, computer and so on on the communication line can not be a personal private thing, so do not exclude a link will be malicious peep behavior.

Even encrypted communications can be monitored, but encrypted packets cannot be easily parsed.

Eavesdropping on traffic over the same segment is easy. You can catch packets using Fiddler or Wireshark.

There are two ways to encrypt communication

  1. Encrypt the communication

Such as using SSL or TLS to establish secure communication lines

  1. Encrypting packets

After the packets are encrypted, communication can be performed directly, but both the client and server must be able to decrypt and encrypt the packets. But information can be tampered with this way.

The identity of the communicating party is not verified, so it is possible to encounter camouflage

Anyone can initiate a request

HTTP protocol is very simple, no matter who sent the request will return the response, so do not confirm the communication party, there are various risks.

  • It is not possible to determine whether the Web server to which the request is sent is the one that returns the response as intended. It could be a disguised Web server.
  • It is not possible to determine whether the client to which the response is returned is the client that received the response as intended. It could be a disguised client.
  • Unable to determine whether the communicating party has access rights. Because some Web servers hold important information, they only want to give specific users permission to communicate.
  • There is no way to determine where or by whom the request came from.
  • Even meaningless requests will be accepted. Denial of Service (DoS) attacks on massive requests cannot be prevented.

Find out the other party’s credentials

Using SSL, the identity of the communicating party can be determined by certificates.

Certificates are issued by third parties and are difficult to forge.

The integrity of the message could not be verified, so it may have been tampered with

Man-in-the-middle attack

HTTP cannot confirm that the sent packet is the same as the received packet, and does not realize that the packet is tampered during sending.

How to Prevent tampering

Websites that provide file downloads usually provide the MD5 code of the file. After downloading the file, recalculating the MD5 code can tell if the file has been tampered with.

HTTP+ Encryption + Authentication + Integrity Protection =HTTPS

Public key encryption

Symmetric key encryption (shared key)

This means that encryption and decryption all use the same key. But there is a problem with this approach: how do you safely send the key to the client?

As long as the key is compromised, encryption is meaningless.

Asymmetric key encryption

The client uses the public algorithm and key for encryption, and the server uses the corresponding private key for decryption. In this way, the security of the key is ensured.

Use a hybrid encryption mechanism

Public key encryption is slower than shared key encryption, so the two methods are combined. The public key is used to send the key, and the shared key is used to transmit data.

A certificate certifying the correctness of a public key

One problem with using a public key is that you can’t verify the correctness of the public key. Has the public key been tampered with?

To solve this problem, you can use a digital Certificate Authority (CA) approach to public key certificates.

Businesses submit information to these agencies, which then create digital signatures and certificates based on this information. It is also difficult to ensure that this certificate is sent safely to the client, so some browsers have many certificates built in.

Client Certificate

The client certificate server can determine the identity of the client, but the client certificate is usually charged, often only special industries will use the client certificate, such as online banking and so on.

Is the certification body reliable?

In July 2011, hackers attacked a certification body and tampered with Google.com, causing massive user losses.