Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) : A hypertext Transfer security Protocol. My understanding is secure HTTP. Because HTTP is a plaintext transmission, it is not secure in situations where security is required. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets.
Its functions are twofold:
1. Establish an information security channel to ensure the security of data transmission; 2, confirm the authenticity of the website
The first is through encryption, SSL/TLS protocol; Second, pass the certificate.
Before encrypted transmission using SSL/TLS, there is a handshake between the client and the server. The purpose of the handshake is to negotiate a secret key to be used by both parties to encrypt the transmission symmetrically. In order to obtain the secret key used for symmetric encryption, the negotiation process used asymmetric encryption, you back and forth, painstakingly.
Symmetric encryption, encryption and decryption using the same secret key; Asymmetric encryption has two secret keys: public key and private key. If the public key is used, the private key can be decrypted, and vice versa. Asymmetric encryption is more secure than symmetric encryption, but it takes a long time and is slow. It is only suitable for encrypting a small amount of data.
Because there are public and private keys, asymmetric encryption is best used in the handshake process. The handshake process is as follows: 1. The client sends the version number of the CLIENT SSL protocol, the type of the encryption algorithm, the generated random number, and other information to the server.
2. The server sends the version number of SSL protocol, type of encryption algorithm, random number, and other relevant information to the client. At the same time, the server sends its certificate to the client.
3. The client uses the information sent from the server to verify the validity of the server, including whether the certificate is expired, whether the CA issuing the certificate is reliable, whether the certificate is valid, and whether the domain name on the certificate matches the actual domain name.
4. The client randomly generates a new random number, encrypts it with the server’s public key (obtained from the server’s certificate), and passes it to the server. At the same time, using this random number, after operation, get a secret key.
5, server decrypts with its own private key, get this random number, after operation, get a secret key with the same client.
6. At the end of the handshake process, the server and client use the secret key for a pleasant encrypted transmission.
In some situations with more stringent security requirements, clients also need to provide certificates, such as online banking. In this case, the certificate carrier of the client may be U shield.
How does the client, the browser, verify the server’s certificate? Browsers have a list of authoritative CA’s, and all websites should use certificates issued by these authoritative CA’s. In addition, the certificates issued by the CERTIFICATION center comply with x. 509 V3 standards, which include the public key of the server as well as domain names. If the browser thinks there is a problem with the certificate, the response is as follows:
HTTP uses port 80, while HTTPS uses port 443.
Related articles: HTTPS certificates
References:
Baidu encyclopedia
Maybe it’s easier to understand HTTPS this way