In recent years, with the frequent occurrence of network security incidents such as domain name hijacking and information leakage, website security has become more and more important, which also contributed to the transformation of network transport protocol from HTTP to HTTPS and then to HSTS.
HTTP
HTTP (Hypertext Transfer Protocol) is an application layer protocol for distributed, collaborative and hypermedia information systems. HTTP is the foundation of data communication over the Internet. It was coordinated by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) to develop HTTP standards, and finally published a series of RFCS, and RFC 2616, published in June 1999, defines a widely used version of THE HTTP protocol — HTTP 1.1.
HTTP Access Procedure
HTTP is an application-layer protocol in the TCP/IP model. When the browser communicates with the server, a TCP connection must be established before the server receives the browser’s request information. After receiving the request information, the server returns the corresponding message. Finally, the browser receives a response to the server’s message and interprets the data.
△ HTTP 1.0 request mode
Under HTTP 1.0, the browser had to establish a separate connection for each visit, which wasted resources.
Later HTTP 1.1 could process multiple requests in a single connection and overlap them
△ HTTP 1.1 request mode
HTTP Protocol Features
- Simple, fast, and flexible: When a user wants to send a request to the server, simply pass the request method and path. HTTP allows the transfer of any type of data object. And HTTP protocol is easy to use, HTTP server size is small, to ensure the speed of network communication;
- No connection, no stateless: The HTTP protocol limits each connection to a single request. When the server receives a request, it disconnects, saving transmission time. At the same time, HTTP protocol has no memory capacity for transaction processing, if the subsequent request needs to use the previous information must be retransmitted data;
- Pipelining and content encoding: With the advent of pipelining, HTTP requests are faster than persistent connections, and HTTP compresses files to reduce transmission time when some messages are too large.
- HTTP supports client/server mode
From HTTP to HTTPS
HTTP protocol has been used for data transmission between web servers and browsers because of its simplicity, speed and low resource consumption. However, there are also obvious problems in the process of data transmission. Because HTTP is a plaintext protocol, data is not encrypted in any way. When hackers steal the packets transmitted between the web server and the browser, they can directly read the transmitted information, resulting in the disclosure of the website and user data. Therefore, HTTP is not suitable for the transmission of sensitive information, so HTTPS (Hypertext Transfer Security Protocol) needs to be introduced.
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a Transfer Protocol used for Secure communication on computer networks. The SSL layer is added under HTTP to protect the privacy and integrity of exchanged data and provide the function of identity authentication for web servers. Simply speaking, it is the secure version of HTTP.
△ Difference between HTTP and HTTPS
HTTPS Access Procedure
HTTPS shakes hands with the Web server and Web browser to determine their encrypted passwords before data transfer.
The specific process is as follows:
1. The Web browser sends the supported encryption information to the website server;
2, the website server will choose a set of encryption algorithm and hash algorithm, will verify the identity information in the form of certificate (certificate issuing CA authority, certificate validity period, public key, certificate owner, signature, etc.) sent to the Web browser;
3. When a Web browser receives a certificate, it first needs to verify the validity of the certificate. If the certificate is trusted by the browser, it will be displayed in the browser address bar with a mark; otherwise, it will display an untrusted mark. When the certificate is trusted, the Web browser randomly generates a string of passwords and encrypts them using the public key in the certificate. After that, it is to use the agreed hash algorithm to shake the message, and generate random number to encrypt the message, and then send the generated information to the website;
4. When the website server receives the data sent by the browser, it will use the private key of the website itself to decrypt the information to determine the password, and then decrypt the handshake message sent by the Web browser through the password, and verify whether the hash is consistent with the Web browser. The server then encrypts the new handshake with a password and sends it to the browser;
5. Finally, the browser decrypts and computes the handshake message encrypted by the hash algorithm. If the handshake is consistent with the hash sent by the service, the server and browser will exchange data using the random password and symmetric encryption algorithm generated by the previous browser after the handshake.
HTTPS encryption algorithm
To protect data security, HTTPS uses a number of encryption algorithms:
1. Symmetric encryption: there are two types of streaming encryption and grouping encryption and decryption use the same key.
For example, DES, AES-GCM, and CHacha20-Poly1305.
Asymmetric encryption: The encryption key is different from the decryption key, which is called public key and private key. The public key and algorithm are public, while the private key is secret. Asymmetric encryption algorithm has low performance but strong security. Due to its encryption characteristics, asymmetric encryption algorithm can encrypt data length is also limited.
For example, RSA, DSA, ECDSA, DH, and ECDHE.
3. Hash algorithm: Converts information of arbitrary length into a shorter value of fixed length, usually much smaller than the information, and the algorithm is irreversible.
For example, MD5, SHA-1, SHA-2, and SHA-256.
4. Digital signature: A signature is the hash value of a message added to the end of the message to prove that the message has not been modified. The hash value is encrypted (that is, the signature) and sent with the message to ensure that the hash value is not modified.
From the HTTPS to HSTS
But when the web protocol goes from HTTP to HTTPS, is the data really secure?
When users want to access a website, they usually enter only one domain name in the browser. Instead of adding http:// or https:// before the domain name, the browser automatically fills in the domain name. Currently, all browsers fill in http:// by default. Generally, the website administrator will use the 301/302 redirect to switch from HTTP to HTTPS. However, HTTP is always used in this process, so it is easy to be hijacked and attacked by third parties.
This is where HSTS (HTTP Strict Secure Transport) comes in.
△ HTTP request hijacking H
HSTS
HSTS is a new Web security protocol being implemented by the International Internet Engineering organization IETF. When a website uses HSTS, users do not need to manually enter HTTPS in the address bar when accessing the website. The browser will automatically use HTTPS to access the website address, thus ensuring that users always access the encrypted link of the website. Protects data transmission security.
HSTS principle
HSTS controls browser operations primarily through the way the server sends response headers:
1. Add the HSTS response header to the server response header:
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
Copy the code
This response header takes effect only when an HTTPS access is returned, where the parameter [] indicates optional;
2. Set the max-age parameter. Do not set the max-age parameter for a long time.
3. The next time the user uses HTTP, the client redirects internally and displays the 307 Redirect Internel response code.
4. The web server becomes the HTTPS access source server.
After HSTS is enabled, the website can effectively guard against man-in-the middle attacks, and save the time spent on 301/302 redirect of the website, greatly improving the security factor and user experience.
After HSTS is enabled, website security factor is tested and evaluated
After HSTS is enabled, you can go to SSLLabs for testing, and the security level of the site is further improved.
Before this function is enabled, the level is A
After this function is enabled, the level changes to A+
conclusion
From HTTP to HTTPS to HSTS, the security of websites has been increasing, and efforts to prevent DNS hijacking and data leakage are also increasing.
Copyright: This article comes from the network, copyright belongs to the original author, reprint please indicate, have any questions, please contact us, thank you!