When looking for a job, do you often get asked about the difference between HTTP and HTTPS? In fact, this piece of knowledge is very extensive. If you want to battle with the interviewer, read this article.
The concept of HTTP and HTTPS
Let’s take a look at the wikipedia concept
HTTP: HyperText Transfer Protocol (HTTP) is an application layer Protocol for distributed, collaborative and hypermedia information systems [1]. HTTP is the basis for data communication on the World Wide Web. HTTP was originally designed to provide a way to publish and receive HTML pages. Resources requested over HTTP or HTTPS are identified by Uniform Resource Identifiers (URIs).
HTTPS: Hypertext Transfer Protocol Secure HTTPS, often called HTTP over TLS, HTTP over SSL, or HTTP Secure, is a transport protocol for Secure communication over a computer network. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. HTTPS is developed to provide identity authentication for web servers and protect the privacy and integrity of exchanged data. The protocol was first proposed by Netscape in 1994 and then extended to the Internet. Historically, HTTPS connections have often been used to pay for transactions on the World Wide Web and transfer sensitive information in enterprise information systems. In the late 2000s and early 2010s, HTTPS became widely used to protect the authenticity of web pages on all types of sites, protect accounts and keep user communications, identities, and web browsing private.
In a nutshell
Hypertext Transfer protocol HTTP is used to transmit information between Web browsers and Web servers. HTTP sends content in plain text without any data encryption. If an attacker intercepts packets transmitted between Web browsers and Web servers, he can directly understand the information. The HTTP protocol is not suitable for transmitting sensitive information, such as payment information such as credit card numbers and passwords.
To overcome this shortcoming of HTTP, another protocol is needed: HYPERtext transfer protocol HTTPS. To secure data transmission, HTTPS adds SSL to HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.
The difference between HTTP and HTTPS
1. HTTPS requires a ca to apply for a certificate. Generally, there are few free certificates, so some fees are required.
2. HTTP protocol runs on TOP of TCP, and all transmitted content is plain text.
The HTTP protocol runs on TOP of SSL/TLS, which runs on top of TCP. All transmitted content is encrypted using symmetric encryption, but the symmetric encryption key is asymmetrically encrypted using the certificate of the server.
-
Symmetric encryption: Only one key is used to encrypt and decrypt the same password, and the encryption and decryption speed is fast. Typical symmetric encryption algorithms include DES and AES.
-
Asymmetric encryption: The key is in pairs (and the private key cannot be deduced from the public key, nor the public key from the private key). Different keys are used for encryption and decryption (public key encryption requires private key decryption, and private key encryption requires public key decryption). Symmetric encryption is slower. (specific reference TLS/SSL handshake and work principle of explanation (tyler-zx.blog.csdn.net/article/det…
4. HTTP and HTTPS use completely different connection modes. The HTTP URL starts with http:// and uses port 80 by default, while the HTTPS URL starts with https:// and uses port 443 by default.
5. HTTP connections are simple and stateless; HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identity. It is more secure than HTTP.
How HTTP works
-
HTTP is based on the TCP protocol. HTTP is an application-layer protocol.
HTTP consists of requests and responses and is a standard client-server model (B/S). The HTTP protocol is always about the client making the request and the server sending back the response.
HTTP is a stateless protocol. Stateless means that there is no need to establish a permanent connection between the client (Web browser) and the server. This means that when a client makes a request to the server and the server returns a response, the connection is closed and no information about the connection is retained on the server. HTTP follows the Request/Response model. The client (browser) sends a request to the server, which processes the request and returns the appropriate response. All HTTP connections are structured as a set of requests and responses.
The working process of Http
1) when the input url, the browser as the client will first request DNS server, through the DNS for the corresponding domain name and IP (application layer) such as in the client browser requests this page: localhost.com: 8080 / index. HTM
-
Protocol name: HTTP
-
Host name: localhost.com
-
Port: 8080
-
Object path: /index.htm
2) Find the corresponding server by IP address, establish TCP connection, and send HTTP request packets to the server (application layer > Transport layer > Network layer > data link layer).
Before HTTP work begins, the client (Web browser) must first establish a connection with the server through the network, the connection is completed through TCP, the protocol and IP protocol together to build the Internet, namely the famous TCP/IP protocol family, so the Internet is also called TCP/IP network. HTTP is an application-layer protocol with a higher level than TCP. According to the rules, connections with lower-layer protocols can be implemented only after the lower-layer protocols are established. Therefore, TCP connections must be established first.
The HTTP request sent by the client to the Web server through the TCP socket contains a text request packet, which consists of the request line, request header, blank line, and request data
3) The server starts to process the REQUEST packet after receiving the HTTP request packet (data link layer > network layer > Transport layer > Application layer)
4) After the server receives the request, the server invokes its own service and returns the response package
The response package is formatted as a status line containing the protocol version number of the message, a success or error code, followed by MIME information including server information, entity information, and possible content.
4) Release the TCP connection
If the connection mode is set to close, the server actively closes the TCP connection, and the client passively closes the connection to release the TCP connection.
If the Connection mode is Keepalive, the connection is kept for a period of time. During this period, requests can be received. Keeping the connection saves the time required to establish a new connection for each request and saves network bandwidth.
5. How HTTPS works
HTTPS is not a new protocol at the application layer. The HTTP communication interface is replaced by SSL and TLS protocols.
Typically, HTTP communicates directly with TCP. When SSL is used, it evolves to communicate with SSL first and then with SSL and TCP. In short, HTTPS is HTTP in the shell of THE SSL protocol.
With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS. That means HTTP plus encryption and authentication and integrity protection is HTTPS.
The following steps are required when a client communicates with the Web server using HTTPS
1) The customer accesses the Web server using an HTTPS URL and requires an SSL connection to the Web server.
2) Upon receiving the request from the client, the Web server sends a copy of the certificate information (including the public key) of the website to the client.
3) The browser of the client and the Web server start to negotiate the security level of the SSL/TLS connection, that is, the level of information encryption.
4) The browser of the client establishes the session key according to the security level agreed by both parties, and then encrypts the session key using the public key of the website and transmits it to the website.
5) The Web server uses its own private key to decrypt the session key.
6) The Web server uses the session key to encrypt the communication with the client.
The HTTPS protocol basically relies on TLS/SSL, and TLS/SSL relies on three basic algorithms: Hash function, symmetric encryption and asymmetric encryption, which uses asymmetric encryption to realize identity authentication and key negotiation, symmetric encryption algorithm uses the negotiated key to encrypt data, based on the hash function to verify the integrity of information.
The advantages of HTTPS
Although HTTPS is not completely secure, organizations with root certificates and encryption algorithms can also carry out man-in-the-middle attacks. However, HTTPS is still the most secure solution in the current architecture, which has the following benefits:
1. Use HTTPS to authenticate users and servers to ensure that data is sent to correct clients and servers.
2. HTTPS is a network protocol constructed by SSL and HTTP for encrypted transmission and identity authentication. It is more secure than HTTP and prevents data from being stolen or modified during transmission, ensuring data integrity.
3. HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, compared with HTTP, HTTPS can provide more high-quality and confidential information to ensure the security of user data.
4. Google tweaked its search engine in August 2014, saying that “HTTPS encrypted sites will rank higher in search results than comparable HTTP sites.”
Why don’t all websites use HTTPS
Although HTTPS has great advantages, it still has disadvantages in comparison:
(1) HTTPS consumes more server resources than HTTP. HTTPS is actually an HTTP protocol built on SSL/TLS. Therefore, to compare how much more server resources HTTPS consumes than HTTP, it mainly depends on how much server resources SSL/TLS consumes. HTTPS handshake is time-consuming, which lengthens the page loading time by nearly 50% and increases power consumption by 10% to 20%.
(2) HTTPS connection caching is not as efficient as HTTP, which will increase data overhead and power consumption, and even the existing security measures will be affected;
(3) SSL certificates need money, the more powerful the certificate cost is higher, personal websites, small websites are not necessary generally will not use.
(4) SSL certificates usually need to be bound to IP addresses. Multiple domain names cannot be bound to the same IP address. IPv4 resources cannot support such consumption.
(5) HTTPS protocol encryption scope is also relatively limited, in hacker attacks, denial of service attacks, server hijacking and other aspects of almost no role. Most importantly, the SSL certificate credit chain system is not secure, especially in cases where some countries can control the CA root certificate, man-in-the-middle attacks are just as feasible.
More highlights: Follow us