A. HTTP and HTTPS
1. The difference between HTTP and HTTPS
- What is A. TTPS? A communication protocol for secure communication
- B. Why is it safe? – HTTPS uses HTTP for communication, but uses SSL/TLS to encrypt data packets
- C. What was the purpose of creating HTTPS? – “to provide the server website identity authentication, to ensure data privacy
- D. How to use HTTPS? To use HTTPS, you have to pay for it. You need to apply for a CA certificate
All right, let’s talk about the difference
- First of all, HTTP is transmitted in clear text, HTTPS is encrypted by SSL,
- The default HTTP port is 80, and the default HTTPS port is 443
- HTTP connections are simple and stateless, whereas HTTPS is a network protocol constructed by SSL and HTTP for encrypted transmission and identity authentication, which is more secure
HTTPS solves the problem
- The server that uses HTTPS needs to apply for a certificate from the CA to prove the service type of the server. The client trusts the host only when the certificate is used by the corresponding server
- Prevent data leakage and tampering during communication
- The client opens a connection to server port 80 (the default) and sends an HTTP request to it
- The client will open a link to server port 443 (the default), shake hands with the server, exchange some SSL security parameters, and attach an encrypted HTTP request
- What does i.Hotts do during the handshake? – Indicates the version number of the exchange protocol. Select a password understood by both ends to authenticate the identities of both ends and generate a temporary session key to encrypt channels
2. Differences between HTTP1.1 and HTTP1.0
- A. Cache Handling – 1.0 adopted if-Modified-since and Expires in the header as the cache standard. 1.1 introduced more cache control policies.
- B. Bandwidth optimization and the Use of network connections – “1.0 can only transmit the whole object, and does not support resumable breakpoints, 1.1 added the range header field, allowing the value request a part of the resource, so that the full use of bandwidth
- C. Error Notification Management – 24 error status response codes are added in 1.1. For example, 409 indicates a resource conflict
- D. Host header processing – in 1.0, it is believed that each host is bound to a unique IP, so the host name is not transmitted in the URL of the message. However, with the development of virtual host, there can be multiple virtual hosts on a physical server, and they share the same IP. At this time, the host name needs to be transmitted. In addition, there is no host header in 1.1, which causes an error of 400 (Bad Request).
- E. Long Connection – 1.1 supports long Connection and request pipeline processing. Multiple HTTP requests and responses can be transmitted on a TCP Connection, reducing the consumption of opening and closing connections. Connection: keep-alive is enabled by default in 1.1
3. New features of Http2.0 compared to Http1.x
- A. New binary format – “1.X parsing is based on text, text performance has diversity, to achieve robustness to consider a lot of scenarios, natural defects, binary only recognize 0 and 1, convenient and robust implementation
- B. Multiplexing – refers to connection sharing. Each request is used as a connection sharing mechanism. Each request corresponds to an ID
- C. Ader compression, http1.X header with a large amount of information, and each time repeated, 2.0 compression header size, and communication parties each cache a header parameter table, so as to avoid repeated transmission of the header, and reduce the size of the need to transmit
- D. Server push. The server can push to the client
4. Solution to slow HTTPS requests
- A. Directly access the IP address without using DNS resolution
- B. Troubleshooting connection Failure –
- The mobile terminal itself establishes a long connection channel based on TCP, which can reduce the pressure on the server (avoid frequent creation and destruction of connections). However, socket programming based on TCP is relatively complicated.
- Long-pulling – The client sends a pulling request to the server, but the server does not immediately return the business data, waiting for new business data to be generated, so the connection is always maintained and a new pulling request is sent as soon as the current connection ends. But this will increase the pressure on the server, and the stability is not good
- HTTP Streaming – is similar to pulling, which tells the server that the client still has data to arrive and keeps the connection alive
- Web Socket – provides a two-way data channel based on TCP and is simpler to use than TCP sockets based on byte streams
5. Of the HTTP request and response protocol a.r equest composition – “(1) the request line -” that request type and HTTP version (2) request header – “means the server to use additional information (3) request a blank line -” must be, (4) Request data – “can add any data, Can be null, GET / 562 f25980001b1b106000338. HTTP / 1.1 JPG Host img.mukewang.com the user-agent Mozilla / 5.0 (Windows NT 10.0; WOW64) AppleWebKit (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/ 577.36 Accept image/webp,image/,/*; Q =0.8 Referer www.imooc.com/ accept-encoding gzip, deflate, SDCH accept-language zh-cn,zh; Q = 0.8
- B. Repulse composition -“
- Status line – consists of the HTTP version number, status code, and status message
- The message header – is used to specify additional information to be used by the client
- Blank line – “necessary
- Response body – Data information
6. Understanding HTTP caching –
The HTTP caching mechanism also relies on the parameter classes in the headers in the request and response, which determine whether the response is pulled from the cache or from the server
7. HTTP Long Connection –
A. HTP 1.0 is short connection, 1.1 is long connection by default, but the essence of long connection refers to TCP connection. TCL is a two-way channel that can be kept open for a period of time, so TCL connection has real long connection and short connection. – A long connection refers to a TCP connection. In this case, multiple HTTP requests can reuse the same TCP connection, which saves a lot of consumption for establishing and disconnecting TCP connections. Long connections are not permanent and will be broken if no HTTP request is sent for a period of time (which can be set in the header)
8. Principle of HTTPS encryption
- A. There are basically two types of encryption algorithms
- Symmetric encryption – encryption and decryption using the same key, such as AES encryption
- Asymmetric encryption – the encryption key is a public key, and the decryption key is a private key, such as RSA encryption
- B. hash = HTTP + SSL – HTTPS encryption is performed in SSL
- C. So how exactly is it encrypted? – “This will start from the CA certificate, CA certificate generally contains the following content
- Certificate issuer and version
- Certificate user
- Public key of certificate
- Validity period of the certificate
- Digital signature of the certificate, hash value Hash algorithm of the signature
- , etc.
The hash value in the CA certificate is actually the encrypted value of the certificate private key (the private key of the certificate is not in the CA certificate). After obtaining the certificate, the client uses the public key in the certificate to parse the hash value to obtain hash-a, and then generates a hash-b using the hash algorithm in the certificate. The client compares whether hash-a and Hash-B are equal. If they are equal, the CA certificate is correct
- D. HTPS SSL Handshake Establishment Procedure – Assumes that client A and server B exist
- When user A accesses USER B, user A generates a random number 1 and informs user B about the random number, SSL version number supported by user A and encryption algorithm
- After receiving the ca certificate, USER B confirms the encryption algorithm of both parties. Then, the server generates a random number 2 and sends 2 and the CA certificate to client A
- After receiving the CA certificate, the client verifies the validity of the CA certificate. After the verification, the client generates a random number 3 and encrypts the random number with the public key in the CA certificate and sends the number to server B
- After the server gets the random number 3, it decrypts it with the private key to get the real number 3. At this time, ab has the random number 1.2.3
- Then the two parties use random numbers 1, 2, and 3 to generate a conversation key, and then the transmitted content will use this key for symmetric encryption transmission. AES is generally used
- Client A notifies server B that the subsequent session is encrypted with a key, and notifies server B that the handshake is complete
- Server B notifies client A that the subsequent dialogue will be completed with the dialogue key, and at the same time notifies client that the server handshake is complete
- After the SSL handshake is complete, SSL security starts to communicate with incoming data. Client A and server B use the same key to communicate
9. How does HTTPS protect against man-in-the-middle attacks
- A. What is a man-in-the-middle attack? – a man-in-the-middle attack occurs when a data transfer takes place between a device and a server, and an attacker places himself between the two ends and intercepts the data, even though the two sides of the conversation think they are talking to each other, they are actually talking to an intermediary.
- B. How to Prevent man-in-the-middle Attack –
- Suppose a sends a Hello to server B. Instead of sending the hello directly to server B, it goes to middleman C, who then sends the Hello to server B. On the surface, A sends the message to server B, but it actually passes through the middleman C. Then sends a public key and a random number. A, b and a generating a random number, is encrypted with the public key to the b, c to intercept the news at this moment, because there is no private key so could not decrypt, also cannot get the complete random number 1, 2, 3, also can’t learn ab encrypted transmission between the real content
- Suppose a sends a hello to the server at this time there is no direct to b, but came first to the middle c, c also have a legal certificate in hand, he pretend to be your certificate is sent to a service end, then pretend to be the client pass the hello to b, then completes the man-in-the-middle attack, the solution is, the client hold yourself a public key, To verify the certificate returned by the server, make sure that the certificate is the certificate of the site you want to visit