This is the seventh day of my participation in the August More text Challenge. For details, see:August is more challenging
Related articles:
- Have you really figured out HTTP? (a)
- Have you really figured out HTTP? (2)
- Have you really figured out HTTP? (3)
What is HTTP? What’s the difference between HTTP and HTTPS?
1.1 HTTP
HyperText Transfer Protocol (HTTP) is a specification for network communication
In the computer and network world there are, there are different protocols such as broadcast protocol, addressing protocol, routing protocol and so on……
HTTP is A transmission protocol, that is, data is transmitted from A to B or B to A, and A and B can store many third parties, such as: A<=>X<=>Y<=>Z<=>B
The transmitted data is not binary packets in the bottom layer of the computer, but complete and meaningful data, such as HTML files, picture files, query results and other hypertext, which can be recognized by the upper application
In practice, HTTP is often used to transfer information between a Web browser and a Web server, sending content in plain text without any form of data encryption
Features are as follows:
- Support client/server mode
- Simple and fast: When a client requests service from a server, only the request method and path need to be passed. Because the HTTP protocol is simple, the program size of the HTTP server is small, so the communication speed is very fast
- Flexibility: HTTP allows the transfer of data objects of any type. The Type being transmitted is marked by content-type
- Connectionless: Connectionless means that only one request can be processed per connection. When the server finishes processing the customer’s request and receives the customer’s reply, it disconnects. In this way, transmission time can be saved
- Stateless: The HTTP protocol cannot process the request based on the previous state
1.2 the HTTPS
In the previous introduction to HTTP, you learned that HTTP transmission information sends content in clear text, which is not secure. HTTPS was created to address the insecure features of HTTP
To ensure encrypted transmission of private data, HTTP runs on secure SSL/TLS protocols, i.e. HTTPS = HTTP + SSL/TLS. SSL certificates are used to authenticate the identity of the server and encrypt the communication between the browser and the server
SSL protocol is located between TCP/IP protocol and various application-layer protocols. When establishing a connection using SSL, browsers and servers need to select a set of appropriate encryption algorithms to achieve secure communication and provide secure support for data communication
The flowchart is as follows:
- First, the client accesses the server through the URL to establish an SSL connection
- After receiving a request from a client, the server sends a certificate (including the public key) supported by the website to the client
- The server on the client starts to negotiate the security level of the SSL connection, that is, the level of information encryption
- The browser of the client establishes the session key according to the security level agreed by both parties, encrypts the session key using the public key of the website, and sends it to the website
- The server uses its own private key to decrypt the session key
- The server encrypts the communication with the client using the session key
1.3 the difference between
- HTTPS is the secure version of HTTP. Data is transmitted in plaintext and is not secure. HTTPS uses the SSL/TLS protocol for encryption and is relatively more secure
- HTTP and HTTPS use different connection modes, and the default port is different. The HTTP port is 80, and the HTTPS port is 443
- HTTPS does not perform as well as HTTP because it requires encryption and multiple handshakes
- HTTPS requires SSL, and SSL certificates cost money. The more powerful certificates cost more
Why is HTTPS safer than HTTP? How secure is HTTPS?
2.1 Security Features
In the previous article, we learned that HTTP has the following problems in communication:
- Communication is in plain text (not encrypted) and the content can be eavesdropped
- The identity of the communicating party is not verified, so it is possible to encounter disguise
The emergence of HTTPS is to solve these problems. HTTPS is built on SSL and its security is guaranteed by SSL
With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are Security protocols that provide Security and data integrity for network communications
2.2 how to do
SSL implements these functions mainly by three means:
- Symmetric encryption: The negotiated key is used to encrypt data
- Asymmetric encryption: Implements identity authentication and key negotiation
- Algorithm: verify the integrity of information
- Digital signature: authentication
Symmetric encryption
Symmetric encryption means that encryption and decryption use the same secret key, which is symmetric. As long as the security of the key is guaranteed, the whole communication process can be said to be confidential
Asymmetric encryption
Asymmetric encryption, there are two secret keys, a public key, a private key. The two secret keys are different. The public key can be made public to anyone. The private key needs to be kept secret
Both public and private keys can be used for encryption and decryption, but the public key can be encrypted only with the private key, and the private key can be encrypted only with the public key
Mixed encryption
In HTTPS communication, symmetric encryption and asymmetric encryption are used, that is, mixed encryption
In symmetric encryption, if the security of the key can be guaranteed, the whole communication process can be said to be confidential
HTTPS uses asymmetric encryption to solve the problem of key exchange
The specific method is that the sender uses the public key of the other party to encrypt the symmetric key, and then the other party uses its private key to decrypt the symmetric key.
In this way, symmetric encryption is used for communication on the premise that the exchanged key is secure
Here’s an example:
The website keeps private keys in secret and distributes them freely on the web. All you need to do to log in to the website is to use the public key. The ciphertext can only be decrypted by the private key holder. Hackers can’t crack the cipher text because they don’t have a private key
The above method solves the data encryption, in the process of network transmission, the data may be tampered with, and hackers can forge identity to publish the public key, if you get a fake public key, then mixed encryption is not much use, your data thrown by hackers to solve
Therefore, on the basis of the above encryption still need to add integrity, authentication characteristics, to achieve real security, the implementation of this function is the abstract algorithm
The algorithm
The main means to achieve integrity is the abstract algorithm, which is often said hash function, hash function
It can be thought of as a special compression algorithm that can compress any length of data into a fixed length, unique “digest” string, as if generating a digital “fingerprint” of the data
The algorithm ensures that the “digital summary” is completely equivalent to the original text. Therefore, we can ensure data integrity by attaching a summary of the original text
For example, you send a message saying “transfer 1000 yuan” and add a summary of SHA-2. When the site receives the message, it also calculates the digest and compares the two “fingerprints”. If they are consistent, the message is complete and unaltered
A digital signature
A digital signature ensures that the message was actually signed and produced by the sender, because the sender’s signature cannot be counterfeited
The principle is actually very simple, private key encryption, public key decryption
Signatures are as public as public keys and can be accessed by anyone. But the signature can only be unsealed with the public key that corresponds to the private key, so when you get the digest and check the integrity of the original, you can prove that the message really came from you just like you signed a document
Like the message itself, since anyone can publish a public key, we also lack the means to prevent hackers from forging the public key. That is, how do you know if the public key is your public key
This is where a third party, a Certificate verification authority, is needed
CA verification mechanism
The DIGITAL Certificate Authority (CEA) stands as a third party that can be trusted by both the client and server
CA’s signature authentication requirements for the public key include serial number, purpose, issuer, valid time, etc. These are packed into a package and then signed to completely prove the various information associated with the public key, forming a “digital certificate”.
The process is as follows:
- The server operator applies to the digital Certificate authority for a public key
- After identifying the identity of the applicant, the digital certificate authority will digitally sign the public key that has been applied for
- The signed public key is then assigned and bound together by putting the public key into the public key certificate
- The server sends the digital certificate issued by the digital Certificate Authority to the client for asymmetric encryption communication
The client receiving the certificate can use the public key of the digital Certificate Authority to verify the digital signature on that certificate and, once authenticated, prove:
- The public key of the authentication server is a real and valid digital certificate authority
- The public key of the server is trustworthy
2.3 summarize
As you can see, although THERE is only one SSL difference between HTTPS and HTTP, the communication security is greatly guaranteed. The four major features of communication are solved. The solution is as follows:
- Confidentiality: hybrid algorithms
- Integrity: Summary algorithm
- Identity authentication: Digital signature
- Undeniable: digital signature
At the same time, a third-party certificate authority is introduced to ensure the security of the public key
Reference article:
- Web Front end Interview – Interviewer series