tags: HTTP


HTTP HTTP HTTP HTTP HTTP

HTTP is not secure enough

  • Communication using plaintext [without encrypting the content]
  • Without authenticating the identity of the communicator, both the client and the server communicate at will
  • Unable to prove the integrity of the packet

Generally, when we surf the Internet, it is easy to obtain HTTP request information by using the packet capture tool, which is unavoidable in TCP/IP network communication.

If we encrypt HTTP packets, it is only content encryption. Someone else has access to HTTP content, and even if you can’t crack HTTP content, you can still tamper with it.

The best we can do is to use SSL to establish a secure communication line, and then HTTP communication can be carried out on this line.

HTTPS is HTTP wrapped around SSL…

HTTPS uses a mixture of shared and public private keys for encryption. Because the public private key requires too many resources, it is impossible to communicate with the public private key all the time. Therefore, HTTP uses a public private key to establish a communication line, and then uses a shared key for encryption and decryption when the connection is established

For authentication, HTTPS relies on a third-party certification authority to obtain a recognized certificate from which to verify that the server is valid.

On the client side, you have to buy your own certificates, which are very difficult to implement [certificates cost money].

Therefore, most websites use form authentication, which is the most widely used client-side authentication.

If you find this article helpful, give the author a little encouragement