HTTP may have security problems such as information eavesdropping and identity forgery. HTTPS can effectively prevent these problems.
1. Disadvantages of HTTP
Everything has two sides. As a widely used communication protocol, HTTP is naturally very excellent, but it also has disadvantages:
(1) Communication uses plaintext and may be eavesdropped.
To ensure the high efficiency of HTTP transmission, HTTP itself does not have the encryption function, so it cannot encrypt the whole communication. To solve this problem, the communication or content can be encrypted.
Communication encryption: Encrypts HTTP traffic using a combination of Secure Socket Layer (SSL) or Transport Layer Security (TLS).
After establishing a secure communication line with SSL, HTTP communication can be carried out over this line. The COMBINATION of HTTP with SSL is HTTP Secure (HTTPS).
Content encryption: Because there is no encryption mechanism in HTTP, the content transmitted over HTTP is encrypted. That is, the content in HTTP packets is encrypted. In this case, the client needs to encrypt the HTTP packet before sending the request.
In order to achieve effective content encryption, both the client and server are required to have encryption and decryption mechanisms. It is mainly used in Web services. It is important to note that, unlike SSL or TLS, which encrypt the entire communication line, the content is still at risk of tampering.
(2) Communication will not verify the identity of both parties, may encounter camouflage.
In this case, any client can send a request, and the server will return a response whenever it receives the request, regardless of who it is. There could be a lot of problems with this mechanism.
To solve this problem, the SSL protocol can also be used. SSL not only performs encryption, but also uses certificates to determine the identity of the peer. The certificate is issued by a trusted third-party organization to prove that the server and client actually exist. In addition, forging certificates is technically extremely difficult. Therefore, as long as the certificate held by the communicator (server or client) can be confirmed, the true intention of the communicator can be determined.
(3) The integrity of the packet cannot be proved and may be tampered with.
Completeness refers to the accuracy of information. Failure to prove its completeness usually means it is impossible to determine whether the information is accurate.
HTTP cannot verify the accuracy of packets. Therefore, packets sent during a request or response may be tampered with before they are received, but HTTP does not know that.
For example, when downloading content from a Web site, it is impossible to determine whether the files downloaded by the client are the same as those stored on the server. The contents of the file may have been tampered with in transit. Even if the content does change, the client on the receiving end is not aware of it.
Such attacks are called man-in-the-middle attacks (MITM) in which a request or response is intercepted and tampered with while in transit.
Although there is a method to determine packet integrity by HTTP protocol, it is not convenient and reliable in fact. The commonly used hashing methods are MD5 and SHA-1, which are used to confirm the digital signature method of the file.
To effectively prevent these disadvantages, it is necessary to use HTTPS. SSL provides authentication, encryption, and summary functions. It is very difficult to ensure integrity with HTTP alone, so use it in combination with other protocols to achieve this goal.
2, HTTPS
2.1 What is HTTPS
HTTPS = HTTP + encryption + Authentication + Integrity protection. HTTP plus encryption and authentication and integrity protection is HTTPS.
If unencrypted plaintext is used in HTTP communication, such as entering a credit card number on a Web page, the credit card number is exposed if the line of communication is bugged.
In addition, with HTTP, there is no way for either the client or the server to confirm the communication between the two parties. It is possible that you are not actually communicating with the intended party. You also need to consider the possibility that the received message has been tampered with during communication.
In order to solve these problems, encryption and authentication mechanisms need to be added to HTTP. We call HTTP with encryption and authentication mechanisms HTTPS (HTTP Secure).
HTTPS is not a new protocol at the application Layer, but the HTTP communication interface is replaced by the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols.
Typically, HTTP communicates directly with TCP. When SSL is used, it communicates with SSL first and then with SSL and TCP. In short, HTTPS is HTTP with SSL protocol.
With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS.
SSL is independent of HTTP. Therefore, SSL can be used with other protocols, such as SMTP and Telnet, that run on the application layer. SSL is the most widely used network security technology in the world today.
2.2 Encryption Technology
Encryption techniques can be divided into two categories: symmetric and asymmetric.
(1) Symmetric encryption: there is only one key, encryption and decryption is the same password, and encryption and decryption speed, typical symmetric encryption algorithm has DES, AES, etc.;
In this way, the encryption key must also be sent to the other party. If the key is intercepted during transmission, the encryption is meaningless.
(2) asymmetric encryption: : key come in pairs, and based on the public key cannot infer the private key, according to the private key can infer the public key), encryption to decrypt using different keys (need to be decrypted, public-key encryption private key encryption, decryption requires public key), relatively slow symmetric encryption, typical asymmetric encryption algorithms such as RSA and DSA.
Asymmetric encryption is a good solution to the shortcomings of symmetric encryption. Asymmetric encryption uses a pair of asymmetric keys. One is called a private key and the other is called a public key. As the name implies, a private key cannot be known to anyone else, whereas a public key can be freely distributed and available to anyone.
In asymmetric encryption, the sender uses the public key of the other party to encrypt the ciphertext. After receiving the encrypted message, the other party uses its private key to decrypt the encrypted message. In this way, there is no need to send the private key for decryption, and there is no need to worry about the key being eavesdropped and stolen by an attacker.
In addition, it is extremely difficult to recover the original information based on ciphertext and public keys, because the decryption process involves evaluating the discrete logarithm, which is not easy to do. At the very least, if you can factor a very large integer quickly, there is hope for password cracking. But it’s not realistic with the current technology.
2.3 HTTPS Encryption Mode
HTTPS uses hybrid encryption, that is, both symmetric encryption and asymmetric encryption.
Asymmetric encryption is more secure than symmetric encryption, but its disadvantage is that it takes longer to encrypt and decrypt. Therefore, HTTPS combines the advantages of both. It uses asymmetric encryption in key exchange and symmetric encryption in exchange packet establishment.
In the preceding process, the client and server first use asymmetric encryption. The server returns the public key to the client. After the client gets the public key from the server, the client encrypts the key using the public key and sends it to the server. This key is only available to the server. Then the client and the server establish a connection for communication. In order to improve the communication efficiency, symmetric encryption is used, and the key is the key obtained before.
HTTPS combines the advantages of the two encryption algorithms to ensure communication security and data transmission efficiency.
2.4 the CA certificate
Unfortunately, there are some problems with asymmetric encryption. It is impossible to prove that the public key itself is a genuine public key. For example, when trying to establish asymmetric encryption communication with a server, how to prove that the public key received is the one originally intended for the server. Perhaps the real public key has been replaced by an attacker during the public key transfer.
To solve the above problems, public key certificates issued by a digital Certificate Authority (CA) and its related authorities can be used.
First, the server operator applies for a public key from a digital certificate Authority. After identifying the identity of the applicant, the digital certificate Authority will digitally sign the applied public key, allocate the signed public key, and bind the public key into the public key certificate.
The server sends the public key certificate issued by the Digital Certificate Authority to the client for public key encryption communication. Public key certificates can also be called digital certificates or simply certificates. The client receiving the certificate can use the public key of the DIGITAL certificate Authority to verify the digital signature on the certificate. Once the authentication is successful, the client can know two things: first, the public key of the authentication server is a real and valid digital certificate authority. Second, the server’s public key is trustworthy.
The public key of the authentication authority here must be securely transferred to the client. When using communication methods, it is difficult to secure the transfer, so most browser developers release versions with the public key of the common authentication authority embedded beforehand.
2.5 HTTPS Communication Process
It can be roughly divided into three processes: certificate verification, connection establishment, data transmission.
(1) The client sends a request to the server.
(2) The server stores the CA certificate, which contains the asymmetric encrypted public key and other company information.
(3) The server responds to the request and sends the digital certificate to the client
(4) After receiving the digital certificate, the client will parse it. If the certificate is not issued by a trusted authority, or the domain name in the certificate is inconsistent with the actual domain name, or the certificate has expired, it will display a warning to the visitor and let him choose whether to continue communication.
If there is nothing wrong with the certificate, the client retrieves the server’s public key A from the server certificate. The client also generates A random code KEY and encrypts it using the public KEY A.
(5) The client sends the encrypted key to the server.
(6) The server will use its unique private key B to decrypt the encrypted key to obtain the key. In this case, the client establishes a connection with the server to ensure that the key is known only by both parties and prepare for data transmission in future communication.
(7) The server uses the KEY (random KEY) to encrypt the data symmetrically and send it to the client. The client uses the same KEY (random KEY) to decrypt the data.
(8) Both parties happily transmit all data using symmetric encryption.
3, summarize
Difference between HTTP and HTTPS
- The most important difference is security, HTTP plaintext transmission, not encrypted data security is poor. HTTPS (HTTP + SSL/TLS) data transmission is encrypted and secure.
- To use HTTPS, you need to apply for a CA certificate. Generally, there are few free certificates, so some fees are required. Certificate authorities such as Symantec, Comodo, DigiCert and GlobalSign.
- It makes sense that HTTP pages respond faster than HTTPS, but with the added layer of security, the connection process is more complex and more data is exchanged, which inevitably affects speed.
- Since HTTPS is an HTTP protocol built on top of SSL/TLS, it is more costly to the server than HTTP.
- HTTPS and HTTP use completely different connections and use different ports, 443 and 80.
HTTPS shortcomings
- In the same network environment, HTTPS has significantly higher response time and power consumption than HTTP.
- HTTPS security has a range and is almost useless in the case of hacking, server hijacking, etc.
- Under the existing certificate mechanism, man-in-the-middle attack is still possible.
- HTTPS requires more server resources, which can lead to higher costs.
Reference:
(1) Book “Illustrated HTTP”
(2) segmentfault.com/a/119000002…