This is the fifth day of my participation in the August More text Challenge. For details, see:August is more challenging
Borrow more text challenge to urge oneself in August, thank nugget!
I’ve already written an article about the basics of HTTP, including headers, response codes, and cookies. Now, we have to think about whether the data can be safely transmitted over the network. To conclude, HTTP is an insecure transport protocol, and we would normally use HTTPS. Here is the general structure of the article:
Differences between HTTP and HTTPS
First, the problems of HTTP
In fact, data transmission on the network is not directly transmitted by the sender to the receiver. In the process of transmission, data is transmitted and forwarded by one node before finally reaching the receiver. So, whether the data in the transmission will be unsafe. For example, the data is at risk of being tapped by a third person or even tampered with. This is an important reason why HTTP will be replaced, because HTTP does not encrypt the data transmitted. Data is transmitted in plain text, which is easy to listen to, steal, and tamper with. HTTPS was invented to solve the problem of HTTP being insecure during transmission, so what is HTTPS?
What is HTTPS
What is HTTPS? First of all, HTTPS is not a new protocol. It is a layer of TLS and SSL on top of HTTP, thus becoming HTTPS. HTTPS can ensure the security of data transmission. In addition to encrypting data, the certificate issued by the CA must be verified.
3. STL and SSL
HTTPS uses SSL and TLS to ensure the security of data transmission. Transport Layer Security (TLS) and Secure Socket Layer (SSL) are protocol layers between reliable connection-oriented network Layer protocols and application Layer protocols. After SSL authentication, digital signatures are used to ensure data integrity and encryption is used to ensure data privacy, ensuring secure communication between the client and the server.
In the TCP/IP network stratification theory, the network can be divided into four layers:
Where do TLS and SSL stand? Take a look at this picture below:
Why is it possible to secure data transmission with TLS and SSL, and how is HTTPS guaranteed?
How does HTTPS ensure data security
One, data encryption
So we know that HTTP data is transmitted in plain text and HTTPS encrypts the data, so how does HTTPS encrypt the data?
Since you need to encrypt the data, you must use a certain encryption algorithm. In fact, encryption algorithms can be divided into symmetric encryption and asymmetric encryption, so what is symmetric encryption and what is asymmetric encryption? From wikipedia:
Public key cryptography (English: public-key cryptography) is also known as Asymmetric cryptography (English: Asymmetric cryptography) is an algorithm of cryptography, it requires two keys, one is Public key, the other is private key; The public key is used for encryption and the private key for decryption. The ciphertext obtained by encrypting plaintext with a public key can only be decrypted with the corresponding private key and the original plaintext can be obtained. The public key originally used for encryption cannot be used for decryption. Because encryption and decryption require two different keys, it is called asymmetric encryption; As opposed to symmetric encryption where both encryption and decryption use the same key. The public key can be disclosed and released freely. The private key cannot be made public, must be held in strict confidence by the user, and must never be provided to anyone by any means, nor disclosed to the trusted party to the communication.
As you can see, the symmetric encryption algorithm uses a key for both encryption and decryption, so symmetric encryption is used efficiently while asymmetric encryption is used inefficiently. Obviously, the data transmission in the network is for efficiency, and the data transmission should use symmetric encryption, like the following:
As you can see, after encrypting the data, the listener gets the ciphertext. Since it does not have a key, the ciphertext cannot be decrypted. The data appears to be safe. But there is A question, how do you get the key A used by the client and server? In any case, the client and server communicate in plain text for the first time, and need to transmit this key A to each other.
To solve this problem, we introduce asymmetric encryption. So, how does asymmetric encryption guarantee the security of data transmission?
Asymmetric encryption is divided into public key and private key. The public key is used to encrypt data, and the private key is used to decrypt data. The public key can be transmitted over the network, but the private key cannot be leaked. Client would like to request data from the server, first of all, it will generate a key, and USES the server’s public key to encrypt for the random value, the server receives the message, will use their own private key to decrypt, so as to get the key, you can use symmetric encryption for data transmission, drew a sketch:
Two, certificate verification
The client uses the public key of the server for encryption. If a third party replaces the public key with its own and successfully decrypts the public key with its own private key, then the transmitted data will not be leaked. Here is another diagram:
To solve this problem, certificates are introduced as a mechanism. Here is the nugget Platform certificate:
This certificate is issued by a CA authority. What information does this certificate contain? Obviously, the certificate should include at least the public key, as well as the domain name of the web site, duration, and issuing authority. Also, how do we verify that the CA authority is legitimate? This requires the use of root certificates, within our operating system. In the mining platform certificate, we can see that it was issued by Encryption Everywhere DV TLS CA-G1, and the Root certificate of our system, DigiCert Global Root CA, validates the certificate of this issuing authority. Where can I find a certificate for this system? In MacOS, you can find it in the keychain:
If someone asks, how does the system verify this certificate? Isn’t it infinite recursion? I’m sorry to tell you that certificate verification stops at this point, and you have to trust the root certificate of the system unconditionally, so infinite recursion doesn’t happen.
Isn’t it amazing? The strangest knowledge was added. That’s how HTTPS works. It doesn’t go far enough, but when asked in an interview, it’s not enough to say that HTTPS is secure Http.
conclusion
Here’s a summary:
Everything is summed up in the picture, so there is no need to say more. In addition, finally round the title of the “graphic”.
In addition, because the level is limited, the wrong place is inevitable, rather misleading others, welcome big guy to correct! Code word is not easy, thank you for your attention! 🙏