More and more attention is paid to safety
In August 2014, Google published “HTTPS as a Ranking Signal” on its official blog, saying that it adjusted its search engine algorithm and websites using HTTPS encryption would rank higher in search results, encouraging websites around the world to adopt HTTPS with higher security to ensure the safety of visitors.
In the same year (2014), Baidu began to open HTTPS access to the outside world, and in early March, the whole network users officially launched HTTPS jump. For Baidu itself, HTTPS can protect the user experience and reduce the harm of hijacking/privacy leakage to users.
In 2015, Baidu open included HTTPS site announcement. Fully support HTTPS page directly included; Baidu search engine believes that pages using HTTPS are more secure among sites with the same weight and will be given priority in ranking.
“HTTP = insecure”. Why is HTTP insecure?
HTTP packets are composed of simple strings. They are plain text and can be read or written easily. A message for a simple transaction:
The content transmitted through HTTP is in plain text. The content you browse and submit online can be viewed by all entities working in the background, such as the owner of the router, the unknown intent of the network line route, provincial and municipal operators, the backbone network of the operator, and the cross-operator gateway. Here’s an example of insecurity:
What happens if a simple non-HTTPS login uses the POST method to submit a form containing the username and password?
POST form sent out information, didn’t do any scrambling encryption (code), the security of the information directly to the next layer protocol (TCP) need to be content, take in everything in a glance, all user name and password information any intercepted a message information can access to your user name and password, think about all feel terror?
So the question is, what is safe?
What kind of security is required for sites containing sensitive user information?
For a site that contains sensitive user information (from a practical standpoint), we expect to implement HTTP security technologies that meet at least the following requirements:
- Server authentication (clients know they are talking to a real server, not a fake one)
- Client authentication (servers know they are talking to a real client, not a fake one)
- Integrity (client and server data will not be modified)
- Encryption (conversations between client and server are private without fear of eavesdropping)
- Efficiency (an algorithm that runs fast enough for low-end clients and servers to use)
- Universality (virtually all clients and servers support this protocol)
- Managed extensibility (anyone, anywhere, can communicate securely immediately)
- Adaptability (ability to support the best known security methods of the day)
- Social feasibility (to meet the political and cultural needs of the society)
HTTPS protocol to solve security problems: HTTPS and HTTP differences – TLS security layer (session layer)
Hypertext Transfer Security protocol (HTTPS, also known as HTTP over TLS, HTTP over SSL, or HTTP Secure) is a Secure network transport protocol.
HTTPS is developed to authenticate network servers and ensure the confidentiality and integrity of exchanged information.
It differs from HTTP in that HTTPS communicates over the Hypertext Transfer protocol, but uses SSL/TLS to encrypt packets, meaning that all HTTP requests and responses are encrypted before they are sent over the network. The diagram below:
The security operations, that is, data encoding (encryption) and decoding (decryption), are done by SSL, and the rest is not much different from HTTP. More detailed TLS layer protocol diagram:
SSL layer is the cornerstone of HTTPS security.How does it do it?We need to understand the basic principles and concepts behind the SSL layer. Since it involves the concepts of information security and cryptography, I will try to use simple language and diagrams to describe it.
Basic principles and concepts behind SSL layer
This section describes the basic principles and concepts behind HTTPS, including encryption algorithms, digital certificates, and CA centers.
Encryption algorithms Encryption algorithms are strictly encodings (cryptography), which is the process of converting information from one form or format to another. Decoding is the reverse process of coding (as opposed to decryption in cryptography).
Symmetric encryption algorithm
Encryption algorithms fall into two categories: symmetric and asymmetric encryption algorithms. In symmetric encryption algorithm, only one key is used. Both sender and receiver use this key to encrypt and decrypt data, which requires that the decryptor must know the encryption key in advance.
But there is a problem with symmetric encryption algorithms: once you have more entities communicating, managing the secret keys becomes a problem.
Asymmetric encryption algorithms (encryption and signature)
Asymmetric encryption algorithms require two keys: a public key and a private key. The public key and private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt data. If data is encrypted with a private key, it can only be decrypted with the corresponding public key, a reverse process called digital signature (since the private key is private, the identity of the entity can be verified).
They’re like a lock and a key. Alice sends the unlocked lock (public key) to different entities (Bob, Tom), who then use the lock to encrypt the message, and Alice only needs a key (private key) to unlock the content.
So, here’s an important question: how do encryption algorithms keep data transmission secure, that is, from being cracked? There are two things:
2. The encryption algorithm is open, and the key is the secret key. There is Kirkhovsky principle in cryptography, that is, the security of the encryption algorithm depends on the secret key rather than the secret algorithm, so it is very important to ensure the regular replacement of the secret key.
A digital certificate used for identity authentication and key exchange
A digital certificate is a file digitally signed by the certificate Authority that contains information about the public key owner, the encryption algorithm used, and the public key.
The encryption technology with digital certificate as the core can encrypt and decrypt the information transmitted on the network, digital signature and signature verification, to ensure the confidentiality and integrity of the information transmitted online and the non-repudiation of transactions. With the use of digital certificates, even if the information you send is intercepted by others on the Internet, and even if you lose your personal account, password and other information, you can still ensure the security of your account and funds. (For example, one of Alipay’s security measures is to install digital certificates on designated computers.)
Identification (Why should I trust you)
Authentication is an integral part of establishing every TLS connection. For example, it is possible to set up an encrypted channel with any party, including the attacker, and all encryption will be of no use unless we can be sure that the server we are communicating with is one we can trust.
Authentication is a digitally signed declaration through a certificate that binds the public key to the principal (personal, device, and service) identity that holds the corresponding private key. By signing the certificate, the CA can verify that the private key corresponding to the public key on the certificate is owned by the subject specified by the certificate.
Understanding TLS Protocols
HTTPS security mainly depends on the operation of TLS protocol layer. So what does it do to establish a secure data channel?
TLS Handshake: How are secure channels established
0 MS TLS runs on a reliable TCP protocol, meaning we must first complete the TCP three-way handshake.
56 ms After the TCP connection is established, the client sends a series of instructions in plain text, such as the TLS protocol version and the encryption algorithm supported by the client.
84 MS The server obtains the TLS protocol version, selects an appropriate encryption algorithm based on the encryption algorithm list provided by the client, and sends the selected algorithm together with the server certificate to the client.
112 ms Suppose that the server and the client obtain a common TLS version and encryption algorithm after negotiation. The client detects the certificate of the server and is satisfied with it. The client uses either the RSA encryption algorithm (public key encryption) or the DH key exchange protocol to obtain a symmetric secret key shared by the server and the client.
For historical and commercial reasons, RSA-based secret key exchange dominates TLS protocols: the client generates a symmetric secret key, encrypts it using the public key of the server-side certificate, and sends it to the server, which decrypts the symmetric secret key using the private key.
140 MS The server processes the key exchange parameters sent by the client, verifies Message Authentication Code (MAC) to verify Message integrity, and returns a Finished encrypted Message to the client.
In cryptography, Message Authentication Code (MAC), also translated into Message Authentication Code, file Authentication Code, Message Authentication Code, and Message Authentication Code, is a short piece of information generated by a specific algorithm to check the integrity of a Message and authenticate the identity. It can be used to check whether the content of a message has been changed during delivery, whether by accident or by deliberate attack. It can also serve as the authentication of the message source to confirm the source of the message.
168 The MS client decrypts the Finished message using the negotiated secret keys and authenticates the MAC address. If all is complete, the encrypted channel is set up and data transfer is complete.
After this communication, symmetric secret keys are used to encrypt and transmit data, so as to ensure the confidentiality of data.
This is the end of the basic principles I want to cover, but there is more to HTTPS, now for the real thing!!
So, coach, I want to use HTTPS
To choose the right certificate, Let’s Encrypt(It’s free, Automated, and Open.) is a good choice — letsencrypt.org/
ThoughtWorks describes the Let’s Encrypt project in its Technical Radar release in April 2016:
Starting in December 2015, the Let’s Encrypt project moved from closed beta to open beta, meaning that users no longer need to be invited to use it. Let’s Encrypt provides an easy way for users seeking web site security to obtain and manage certificates. Let’s Encrypt also makes “security and privacy” even better, a trend that has already begun with ThoughtWorks and many of our projects that use it for certificate authentication.
According to data released by Let’s Encrypt, the project has issued more than 3 million certificates to date — the 3 million number was reached between May 8 and 9. Let’s Encrypt is a project to make HTTP connections more secure, so the more sites join, the more secure the Internet becomes.