You’ve heard of the following three protocols, but what are they, their history, and their characteristics? Today to a simple introduction, if there are mistakes welcome to point out, you can directly see the summary
- The HTTP protocol
- The HTTPS protocol
- The Websocket protocol
1. The HTTP protocol
1.1 What is HTTP
HTTP Hypertext Transfer Protocol (HTTP Hypertext Transfer Protocol) is a simple request-response Protocol that usually runs on top of TCP. The underlying layer is based on TCP/IP protocol. It is an application layer protocol and is stateless. It is the most widely used network protocol on the Internet.
1.2 History of HTTP
Have the time | version | content | Current situation of the development of |
---|---|---|---|
1990 | HTTP / 0.9 | No protocol is required for exchanging information, only text, only GET requests | Not as a formal standard |
1996 | HTTP / 1.0 | The transmission format is not limited, adding PUT, patch, HEAD, options, delete | Formally as a standard |
1997 | HTTP / 1.1 | Persistent connection, saving broadband, host domain, pipeline mechanism, block transfer coding, etc | Formally as a standard |
2013 | HTTP/2 | Multiplexing, server push, header compression, binary protocol, etc | Formally as a standard |
2018 | HTTP/3 | – | – |
1.2.1: Detailed explanation of the history of development
Do you know HTTP2?
Http1.0 has the following bottlenecks
Only one request can be sent on a connection. 2. A request can only be sent from the client, and the client cannot receive any instruction other than the response. Send the header without compression, the more information the header, the greater the delay 4. Send the same header each time, resulting in waste 5. You can choose any data compression format.Copy the code
So in order to solve the above problems
AJAX: Asynchronous communication means of partial Web page replacement loading. The use of Ajax and Comet technology can improve the browsing speed of the Web, but does not solve the problems existing in the HTTP protocol itself.Copy the code
So with HTTP1.1, two new features are added to HTTP1.1
1. Keep-alive: Saves traffic (http1.1 default keep-alive: saves traffic every time TCP is disconnected, so keep-alive can speed up web page opening. Pipeling: no need to wait for the response to send the next request to pipeling, which does not block queue headers as in 1.0Copy the code
But HTTP1.1 only addresses part of the problem, so there is SPDY protocol HTTP2 is based on SPDY protocol, published by Google, specifically to solve the HTTP protocol encountered bottlenecks.
2. SSL (encrypts the network connection between the transport layer and the application layer) has multiplexing, prioritizing the request, compressing the HTTP header, server pre-push function, server prompt function, etcCopy the code
But it doesn’t eliminate the web presentation speed problem, because SPDY basically just multiplexes [single domain] traffic, and there are too many domains for a Web site to improve. And many web site problems are not just caused by HTTP bottlenecks, so improving the speed of web sites has to be done elsewhere. So there’s HTTP3!
Udp-based QUIC protocol, with native multiplexing, packet loss of one stream does not affect other streams. In the case of small packet loss, other streams have redundant data that can be reorganized, without retransmission, and encryption securityCopy the code
Features of HTTP protocol
- stateless
- The connection is re-established on each request
- Based on request and response: The basic feature is that the client initiates a request and the server responds quickly and flexibly
- HTTP2 features multiplexing, prioritizing requests, compression of HTTP headers, server push functionality, server prompt functionality, and so on
Disadvantages of the HTTP protocol:
Although HTTP is widely used, it also has some security defects, especially in network payment
- Communications use clear text, and the content can be eavesdropped
- Failure to verify the identity of the communicating party may result in disguise
- The packet is incomplete and may be tampered with
The HTTPS protocol
1. HTTPS definition:
HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer):
The HTTP channel aims at security. On the basis of HTTP, it ensures the security of the transmission process through transmission encryption and identity authentication. HTTPS adds SSL (as described below) on the basis of HTTP, and is mainly used for transaction and payment.
HTTPS encryption:
HTTPS encryption is ultimately symmetric encryption, but symmetric encryption keys use asymmetric encryption during transmission, so HTTPS is strictly a hybrid encryption.
Asymmetric encryption the process of transferring a symmetrically encrypted secret key is called communication encryption (SSL).
After establishing the secure channel, the process of transmitting content using symmetric encryption is called content encryption (but the content encryption has the risk of tampering).
2.1 There are two common encryption modes:
1. Symmetric key encryption (shared key encryption)
Symmetric key encryption, also known as symmetric encryption, private key encryption, shared secret key encryption, is a kind of encryption algorithm in cryptography. These algorithms use the same key for encryption and decryption, or two keys that can simply be deduced from each other.
As long as the attacker obtains the secret key, it can be decrypted, so there is public secret key encryption.
Common symmetric encryption algorithms: DES, 3DES, AES, Blowfish, IDEA, RC5, RC6;
- The client itself encapsulates an encryption algorithm
- Sends encrypted data and a secret key to the server
- The server decrypts data with a secret key
2 Asymmetric secret key encryption (public secret key encryption)
In this cryptography approach, a pair of keys is required, one private (private) and the other public (public).
The two keys are mathematically related and are encrypted by a user’s key. Only the user’s key can be used to decrypt the information. If you know one, you can’t figure out the other. Therefore, the disclosure of one key pair does not compromise the secret nature of the other.
The processing speed is slower than symmetric encryption
- The server creates a unified encryption mode for the client, which is called a public key
- The client uses the public key to encrypt and then transmits the ciphertext to the server
- The server uses the private key for decryption
Common asymmetric encryption algorithms: RSA, Elgamal, knapsack algorithm, Rabin. The DH algorithm used to send messages in the Signal project is used to encrypt asymmetric secret keys.
RSA is a widely used encryption algorithm, such as SSH, HTTPS, TLS, e-certificates, e-signatures, and e-ID cards.
2.1 CA:
CA:
CA authority: certificate authority that issues, invalidates, and holds certificates.
The CA certificate:
CA certificate: Certificates issued by the CA organization are called CA certificates
- Digital certificate: Network ID card, used to verify the identity of the digital certificate holder on the network.
- Electronic authentication: Based on PKI, using cryptographic technology to encrypt and decrypt the information transmitted on the network, digital signature and verification signature, so as to ensure the authenticity, confidentiality, integrity and non-repudiation of the information transmitted online.
SSL certificate:
SSL certificate: is a type of digital certificate, similar to the electronic copy of driving license, passport and business license. Also known as a server certificate because it is configured on the server.
The essence of CA certificates is to use SSL/TLS protocols to protect the security of transmitted data. Therefore, CA certificates are also called SSL certificates. So in a sense CA certificates = SSL certificates.
In addition to issuing SSL certificates, CA can also issue other digital certificates, such as code signing certificates and E-mail certificates.
The CA is a trusted certificate authority. All certificates issued by the CA can become CA certificates. The SSL certificate is only one of the certificates issued by the CA
Objective: To solve the public key transfer trust problem.
Certificate application:
- Server application: be trusted by all
- Self-produced: such as packet capture tools, but the client and browser are not maintained and are not trusted by default
The certificate contains the following information:
- Certification Authority
- Certificate authority signature
- Server domain name bound to the certificate
- Certificate version and validity period
- Encryption algorithm used by the signature
- The public key
How to prevent CA certificates from being tampered with:
-
Each certificate has a digital signature: the CA uses some digest algorithm (hash value generated by one-way function of MD5 algorithm) to digest the plaintext of the certificate, then encrypts it with the CA’s private key to generate the signature
-
Verification process: After obtaining the certificate, the client uses the same summary algorithm to generate summary of plaintext, and then compares it.
2.2 Summary of HTTPS Encryption Process
- Symmetric encryption uses the same key, so it is less secure but faster
- Non-heap encryption uses a pair of keys, so security is high but processing is slow
Solution: Use asymmetric encrypted public key to encrypt symmetric encrypted key, and the receiver uses private key to decrypt symmetric encrypted key.
Therefore, the HTTPS encryption process is as follows: The server needs to generate a key pair, apply for a certificate from the CA, attach the public key to the certificate, and send the certificate to the client. In this way, when the client obtains the public key from the certificate, it can use the public key to encrypt the symmetric encrypted key to the server.
Disadvantages of the HTTPS protocol:
- Certificates cost money
- Increasing data 8 overhead, CPU and memory consumption, reduces the number of requests and speed of processing for heavily visited sites.
- The HTTPS protocol is secure in scope and has little effect on hacks, denial-of-service attacks, server hijackings, etc.
- SSL certificates can be forged
The websocket protocol:
Definition:
Standard for full-duplex communication between web browsers and Web servers. That is, the server can actively push messages to the client, and the client can actively send messages to the server.
Data in any format can be sent to each other during communication.
In order to achieve push technology, websites generally use polling, but polling needs to repeatedly send requests, consume resources, waste the head, and Websocket is mainly to solve the problems caused by AJAX polling and Comet (based on HTTP long connection “server push” technology).
Main features:
- Push function: The server pushes data directly without waiting for the client to send a request.
- Reduced traffic: The connection is always maintained, and the head is small and the traffic is reduced.
Note: In order to implement websocket communication, the HTTP header Upgrade header field is used to inform the server that the communication protocol has changed for handshake purposes.
Use:
Js invokes the WebScocket program interface to achieve full-duplex communication.
Generally, HTTP uses THE WS protocol and HTTPS uses the WSS protocol, and the WSS protocol does not support IP address writing
- In Firefox, HTTPS cannot use WS connection
- Browsers with a chrome kernel version lower than 50 do not allow ws links over HTTPS
- A certificate is required to use WSS links in HTTPS mode in Firefox
HTTP: new websocket (' ws://xxx.xx.com/12012/up) HTTPS: new websocket (' wss://xxx.xx.com/12012/up)Copy the code
Usage scenarios
Social chat, live barrage, multi-player games, collaborative editing, real-time stock fund quotes, sports updates, video conferencing/chat, location-based apps, online education, smart homes and other scenarios requiring high real-time
Advantages:
- Better binary support: Websocket defines binary frames
- Less overhead: The packet header is smaller
- Support for expansion: you can customize your own protocol
- Better compression: The context of the previous content can be used
- Keep connected:
other
1. SSL
1.1 DEFINITIONS of SSL:
- Secure Sockets Layer (SSL)
- TLS (Transport Layer Security) : the successor of SSL, which can be understood as SSL/3.1
SSL and its successor, TLS, are a secure protocol that provides security and data integrity for network communications.
TLS and SSL encrypt network connections between the transport layer and the application layer.
1.2 SSL Background:
Secure Socket Layer is developed by Netscape to Secure data transmission over the Internet. Encryption technology is used to ensure that data cannot be intercepted or eavesdropped during transmission over the network.
- The general general specification is 40 bit security standard, the United States has launched 128 bit higher security standard. SSL can be supported only by browsers that are essentially or Netscape 3.0 or older.
- The current version is 3.0. It has been widely used for authentication and encrypted data transfer between Web browsers and servers.
1.3 LAYERED SSL Protocols
SSL is located between TCP/IP and various application-layer protocols and provides security support for data communication.
- The SSL protocol is divided into two layers:
- SSL Record Protocol (SSL Record Protocol) : Based on reliable transport protocols (such as TCP), it supports data encapsulation, compression, and encryption for high-level protocols.
- SSL Handshake Protocol: Based on the SSL recording Protocol, it is used for identity authentication, encryption algorithm negotiation, and encryption key exchange between communication parties before data transmission.
SSL disadvantages (currently used SSL 3.0 and TLS1.0)
- Communication is slow
- As a result, CPU and memory resources are consumed
Solution: Use SSL accelerator
2. Man-in-the-middle attack (MITM attack) :
2.1 definition:
A man-in-the-middle (MITM) attack is an indirect intrusion attack in which a computer controlled by an intruder is technically placed between two communicating computers in a network connection. The computer is called a “middleman”.
In short, a so-called MITM attack works by intercepting normal network traffic, tampering with it and sniffing it out, without the knowledge of either side of the communication.
SMB session hijacking and DNS spoofing are typical MITM attacks.
Conclusion:
🤔 interview question: what is the difference between HTTP and HTTPS and websocket?
HTTP developed from 0.9 to 3, although widely used, but with stateless, connectionless, plaintext transmission insecure defects,
So with the HTPPS protocol based on SSL (Secure Socket) encryption, HTTPS is really HTTP with encryption and authentication added.
Encryption methods are classified into asymmetric encryption and symmetric encryption. HTTPS encryption uses a combination of the two, that is, the asymmetric encryption public key is used to encrypt the symmetric encryption key, while the asymmetric encryption public key is issued by the CA authority with a digital signature, that is, the SSL certificate
Because the process requires encryption and decryption, HTPPS consumes more memory resources such as CPU than HTTP, and communication is slower than HTTP
Websocket is another protocol that has the advantages of long connection and server push. It is a full-duplex protocol. But he needs HTTP to tell the server that the communication protocol has changed in order to shake hands. Can achieve push technology, generally used in social chat, collaborative editing and other scenarios