1. Disadvantages of HTTP

HTTP has these major weaknesses:

  • Communications use clear text (not encrypted) and the content can be eavesdropped
  • The identity of the communicating party is not verified, so it is possible to encounter camouflage
  • The integrity of the message could not be proved, so it may have been tampered with

2, HTTPS

To solve these problems in a unified manner, encryption and authentication mechanisms are added to HTTP to form HTTP Secure (HTTPS).

HTTPS is not a new protocol at the application layer. The HTTP communication interface is replaced by the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. Usually HTTP communicates directly with TCP, but when SSL is used, it communicates first with SSL and then with SSL to TCP.

With SSL, HTTP has encryption, certificates, and integrity protection

SSL is independent of HTTP. Besides HTTP, other protocols such as SMTP and Telnet running at the application layer can work with SSL. SSL is arguably the most widely used network security technology in the world today

3. Encryption method

1. Commom key crypto System, also known as symmetric key encryption:

Encryption and decryption use the same key. After encryption, the key will also be sent to the other party. If the communication is monitored, the key will fall into the hands of the attacker to decrypt the message

2. Public-key-cryptography, also known as asymmetric key encryption:

Use an asymmetric pair of keys, private and public. A private key cannot be known to anyone else, whereas a public key can be distributed at will. The sender uses the public key of the other party to encrypt the ciphertext. After receiving the encrypted message, the other party uses its private key to decrypt the encrypted message. In this way, there is no need to send a private key, thus keeping the information secure

Symmetric encryption is not secure, and asymmetric encryption although the security degree is high, but the CONSUMPTION of CPU resources, low efficiency, and then affect the performance. HTTPS uses a hybrid encryption mechanism. Asymmetric encryption is used in key exchange and symmetric encryption is used in exchange packet establishment

Use the key generated by symmetric encryption to encrypt the transmitted data, and then use the public key of asymmetric encryption to encrypt the key:

  • The public key A of asymmetric encryption is obtained
  • Use the symmetric encryption key B to encrypt data
  • Use public key A to encrypt key B to obtain key C
  • The encrypted data of key B communicates with key C

4, the certificate

Unfortunately, there are some problems with public-key encryption: it is impossible to prove that the public key itself is a real public key. For example, if you are going to establish communication with a server in public-key encryption mode, how can you prove that the public key you receive is the public key issued by the server originally expected? Perhaps the real public key has been replaced by an attacker during the public key transmission

To address the above, public key certificates issued by array certificate authorities and their associated authorities can be used

A digital certificate Authority is in the position of being a trusted third party organization for both client and server

The server sends the public key certificate (digital certificate) issued by the digital Certificate Authority to the client for communication in public-key encryption mode. The client receiving the certificate can use the public key of the DIGITAL certificate Authority to verify the digital signature on the certificate. Once the authentication is successful, the client can know two things: the public key of the authentication server is a valid digital certificate authority and the public key of the server is reliable

5. HTTPS communication procedure

  1. The Client sends a Client Hello packet to start SSL communication. The packet contains the specified version of SSL supported by the client and the list of encryption components (encryption algorithm used and key length, etc.)
  2. When SSL communication is enabled, the Server responds with Server Hello packets. As with the client, the message contains the SSL version as well as the encryption component. The server’s encryption component content is filtered from the received client encryption component
  3. The server then sends the Certificate packet, which contains the public key Certificate
  4. Finally, the Server sends a Server Hello Done packet to notify the client that the INITIAL SSL handshake negotiation is complete
  5. After the first SSL handshake is complete, the Client responds with a Client Key Exchange packet. The packet contains a random password string called pre-master secret, which is used in communication encryption. The message is encrypted with the public key of Step 3
  6. The client then sends a Change Cipher Spec packet. The packet prompts the server that the communication after the packet is encrypted with the pre-master secret key
  7. The client sent a Finished packet. Procedure The packet contains the overall checksum of all packets so far connected. Whether the handshake negotiation can succeed depends on whether the server can decrypt the packet correctly
  8. The server also sends a Change Cipher Spec packet
  9. The server also sent a Finished packet
  10. After exchanging Finished packets between the server and client, SSL is established. The communication is protected by SSL, and the communication starts over the application layer protocol, that is, sending HTTP requests
  11. Application layer protocol communication, sending HTTP requests
  12. Finally, a client disconnects. The close_notify packet is sent when the connection is disconnected

2019.7.11 Update popular to understand:

  1. First, the client accesses the server. The client generates A random number A and sends the random number A, supported SSL version number, and encryption algorithm to the server
  2. After receiving the information, the server verifies the encryption algorithms of both parties. Then the server also generates a random number B and sends the random number B and the CA certificate to the client
  3. After obtaining a CA certificate, the client verifies the validity of the CERTIFICATE. After the verification succeeds, the client generates a random number C, encrypts the number C with the public key in the certificate and sends it to the server
  4. Server B gets the encrypted random number C, and then decrypts it using the private key to get the real random number C
  5. The client and server both have random numbers A, B, and C, and then use these three random numbers to generate A conversation key. Then the transmission is encrypted and decrypted using the conversation key (symmetric encryption, AES algorithm is generally used).
  6. The client notifies the server that the subsequent communication is done with the dialog key, and notifies the server that the handshake is over
  7. The server notifies the client that the subsequent communication will be done with the dialog key and that the server’s handshake is over
  8. The SSL handshake ends, and data communication over the SSL secure channel starts. The client and server start using the same conversation key for data communication

6. HTTPS is insufficient

HTTPS also has some problems. For example, when SSL is used, the processing speed is slow. Compared with HTTP, the network load may be 2 to 100 times slower. Because SSL requires encrypted transmission, it consumes more resources