one
Basic concepts of HTTP and HTTPS
1, HTTP: is the most widely used network protocol on the Internet, is a client and server side request and response standard (TCP), used to transmit hypertext from the WWW server to the local browser transport protocol, it can make the browser more efficient, so that the network transmission is reduced.
2. HTTPS: the HTTP channel is aimed at security. Simply speaking, it is the secure version of HTTP, that is, THE SSL layer is added under HTTP.
3. The HTTPS protocol has two main functions: one is to establish an information security channel to ensure the security of data transmission; Another is to verify the authenticity of the site.
two
HTTP security risks
1. Privacy leakage
Since HTTP itself is a plaintext transmission, the content transmitted between the user and the server can be viewed by intermediaries. This means that the information you search, shop, visit, click on, and so on, can be accessed by middlemen.
2. Page hijacking
The risk of privacy disclosure is relatively hidden, and users are not aware of it. But the effects of another type of hijacking are more obvious and immediate — page hijacking, or directly tampering with a user’s browsing page.
three
HTTP hijacking classification
The hijacking paths are classified as DNS hijacking, client hijacking, and link hijacking.
As shown in figure
four
Several steps when HTTPS communicates with a Web server
1. The customer accesses the Web server using the HTTPS URL and requires an SSL connection to the Web server.
2. After receiving the request from the client, the Web server sends a copy of the certificate information (including the public key) of the website to the client.
3. The browser of the client and the Web server start to negotiate the security level of the SSL connection, that is, the level of information encryption.
4. The browser of the client establishes the session key according to the security level agreed by both parties, and then encrypts the session key using the public key of the website and transmits it to the website.
5. The Web server decrypts the session key using its own private key.
6. The Web server uses the session key to encrypt the communication with the client.
As shown in figure:
five
The advantages of the HTTPS
1. Identity authentication
Using THE HTTPS protocol, users and servers can be authenticated to ensure that data is sent to the correct clients and servers
2, content encryption — anti-eavesdropping
HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identity. It is more secure than HTTP and prevents data theft during transmission.
3. Consistency verification — tamper-proof
The MAC code of the data and the shared key is used to prevent intermediaries from tampering with message content and ensure data consistency.
4, HTTPS network transmission security is relatively high, can greatly increase the cost of man-in-the-middle attack.
six
The disadvantage of the HTTPS
1. Slow speed
(1) Network time
A network transfer that must take place due to protocol requirements. Such as SSL full handshake, 302 jump and so on. The HTTPS handshake phase is time-consuming, lengthens the page loading time by nearly 50% and increases power consumption by 10% to 20%.
(2) Calculation time
Both the client and the server need to perform symmetric encryption and decryption, protocol resolution, private key calculation, certificate verification and other calculations, increasing a lot of computing time.
2. HTTPS connection caching is not as efficient as HTTP, which increases data overhead and power consumption, and even affects existing security measures.
3, high cost
(1) Server cost
HTTPS private key calculation will lead to a sharp decline in server performance, even less than one tenth of HTTP. That is to say, if HTTP performance is 10,000 CPS, HTTPS performance may be only a few hundred CPS, which will increase the server cost several times or even tens of times.
(2) Certificate cost
Depending on the number of certificates and the type of certificates, it can cost anywhere from a few hundred to several million a year.
(3) Development, operation and maintenance costs
The HTTPS protocol is complex. Technical personnel with professional background need to follow up issues such as protocol configuration, certificate update, expiration monitoring, and client compatibility.
seven
The main differences between HTTPS and HTTP
1. HTTPS requires a ca to apply for a certificate. Generally, there are few free certificates, so some fees are required.
2. HTTP is a hypertext transmission protocol, and information is transmitted in plain text. HTTPS is a secure SSL encryption transmission protocol.
3. HTTP and HTTPS use completely different connections and use different ports, the former 80 and the latter 443.
4. HTTP connections are simple and stateless; HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identity. It is more secure than HTTP.