HTTPS

HTTPS(HTTP over SSL) adds the encryption capability of SSL to HTTP.

Before dissecting SSL, we need to understand some concepts:

encryption

Encryption is classified into symmetric encryption and asymmetric encryption

Symmetric encryption

The two parties use the same key to encrypt and decrypt the message. In this way, if the key is leaked during transmission, the double-sent message has no secret at all.

Asymmetric encryption

Each party generates a public key and a private key. The private key is stored for decrypting messages sent by the other party, and the public key is sent to the other party for encrypting the messages to be sent. In this way, even if the public key is leaked, others cannot decrypt it.

But there are problems with asymmetric encryption: if the sender is intercepted, the middleman regenerates a fake public key and sends it to the other party, who encrypts the message with the fake public key. Once intercepted, the middleman can use his private key to decipher the message.

CA& Digital certificate

As mentioned above, after asymmetric encryption solves the encryption problem, there is a trust crisis, that is, whether the public key sent by the other party is true, which requires a digital certificate.

The Certificate Authority (CA) is an organization that issues HTTPS certificates. It can prevent middlemen from attacking websites and provide identity certificates for websites.

TLS&SSL process

Secure Socket Layer (SSL) : Indicates the Secure Socket Layer

Transport Layer Security (TLS) : TLS is an upgrade of SSL 3.0.

The SSL process is divided into three parts:

  1. The website administrator applies for a digital certificate from the CA
  2. The browser shakes hands with the server, and the server sends the certificate to the client for authentication
  3. After verifying the validity of the certificate, the two parties use the symmetric encryption key generated by the server for subsequent communication

Note: HTTPS uses symmetric encryption for content transmission. Asymmetric encryption only works in the certificate authentication phase.

Why is data transmission symmetric?

  • Asymmetric encryption has very low encryption and decryption efficiency. However, in the application scenarios of HTTP, there are usually a lot of end-to-end interactions, so the efficiency of asymmetric encryption is unacceptable.
  • In THE HTTPS scenario, only the server saves the private key, and the client does not perform asymmetric key generation. A pair of public and private keys can only be used for one-way encryption and decryption. Therefore, the content transmission encryption in HTTPS is symmetric rather than asymmetric.

Thank you for reading this article, follow my public account “Yubing Yubing” to receive the latest push, there are also some quality resources I share.