concept
HTTP:
Hypertext Transfer Protocol (HYPERtext Transfer Protocol), the most widely used network protocol on the Internet, is a client – and server-side request and response standard (TCP), used to transfer hypertext from the WWW server to the local browser transport protocol, it can make the browser more efficient, reduce network traffic.
HTTPS:
The HTTP channel aims at security. In short, it is the secure version of HTTP, that is, SSL layer is added under HTTP. The security foundation of HTTPS is SSL, so the details of encryption need SSL.
HTTPSThe main functions of the agreement are:Establish an information security channel to ensure the transfer of arrays and ensure the authenticity of the site.
The difference between
| HTTP | HTTPS |
|---|---|
| HTTP is a hypertext transfer protocol, and information is transmitted in plain text | HTTPS is a secure SSL encrypted transport protocol |
| Default port: 80 | Default port: 443 |
The HTTP connection is simple, yesstatelessthe |
The HTTPS protocol is constructed using SSL and HTTPSThe encrypted,The identity authenticationNetwork protocol, more secure than HTTP protocol |
The working principle of
HTTP:
1. The Client establishes a connection with the Server and clicks a hyperlink to start the HTTP work.
2. After the connection is established, the Client sends a request to the Server in the format of a uniform resource Identifier (URL), protocol version number, followed by MIME information including request modifiers, Client information, and possible contents.
3. After the Server receives the request, it gives the corresponding response information in the format of a status line, including the protocol version number of the message, a successful or error code, followed by MIME information including Server information, entity information and possible content.
4. The Client receives the information from the Server and displays it on the user’s screen. Then the Client disconnects from the Server.
HTTPS:
1. The Client accesses the Web server using the HTTPS URL and requires an SSL connection with the Web server.
2. After receiving the request from the client, the Web server sends a copy of the certificate information (including the public key) of the website to the client.
3. The browser of the client and the Web server start to negotiate the security level of the SSL connection, that is, the level of information encryption.
4. The browser of the client establishes the session key according to the security level agreed by both parties, and then encrypts the session key using the public key of the website and transmits it to the website.
5. The Web server decrypts the session key using its own private key.
6. The Web server uses the session key to encrypt the communication with the client.
7,
The public key encryption mode is used in the key exchange stage, and the shared key encryption mode is used in the communication exchange message establishment stage.
Pros and cons of HTTPS
| advantages | disadvantages |
|---|---|
| Using THE HTTPS protocol, users and servers can be authenticated to ensure that data is sent to the correct clients and servers | The HTTPS protocolThe handshake phase is time-consuming, increasing page load times by nearly 50%And increase electricity consumption by 10 to 20 percent |
The HTTPS protocol is constructed using SSL and HTTPCan encrypt transmission, identity authenticationThe HTTP protocol is more secure than the HTTP protocol, which prevents data from being stolen or changed during transmission and ensures data integrity |
HTTPS connection caching is not as efficient as HTTP, which increases data overhead and power consumptionEven existing security measures may be affected |
| HTTPS is the most secure solution under the current architecture, and while it is not absolutely secure, it significantly increases the cost of man-in-the-middle attacks | SSL certificates cost money, the more powerful the certificate cost higher, personal websites, small websites do not need to generally do not use |
| SSL certificates usually need to be bound to IP addresses. Multiple domain names cannot be bound to the same IP address. IPv4 resources cannot support such consumption | |
The HTTPS protocol also has a limited range of encryption, has little effect on hacks, denial-of-service attacks, server hijacking, etc. And most importantly,The credit chain system of SSL certificates is not secureMan-in-the-middle attacks can also work, especially if some countries can control the CA root certificate. |
How do I switch a website from HTTP to HTTPS
You need to change all links on your page, such as JS, CSS, images, etc., from HTTP to HTTPS (although it is recommended to keep HTTP if you switch from HTTP to HTTPS).
While switching from HTTP to HTTPS, it is recommended to keep HTTP. So we can do HTTP and HTTPS compatibility when switching, the specific implementation is to remove the HTTP header in the page link, so that the HTTP header and HTTPS header can automatically match. For example, change www.baidu.com to //www.baidu.com. Then, when the user accesses the page through HTTP, the page is HTTP. If the user accesses the page through HTTPS, the page is HTTPS.
More and more
HTTPS encryption process
See big guy’s HTTPS encryption process
