Offer to come, dig friends take it! I am participating in the 2022 Spring Recruit Punch card activity. Click here for details.

HTTP and HTTPS are the two protocols that we use a lot in our browsers, but when we use HTTPS, there’s always a little lock in the browser that tells us that it’s a secure link, and when we use HTTP, it tells us that it’s not a secure link, and boy, just one letter is missing and your browser has to treat it differently, right?

Because HTTP is not very secure

In fact, HTTP is a plaintext transmission protocol, using it to transmit content is equivalent to running. Can you imagine the scene of social death when your private messages to others are read by strangers?

Of course, as a front-end, I see HTTPS and HTTP data in the browser as’ clear text ‘. After all, the request has been sent to me, so how can I prove that my information is actually clear text when I use HTTP? WireShark: You can use wireShark to capture a packet

So why is HTTPS secure?

The answer, backed by three algorithms and endorsed by reputable institutions

Symmetric encryption

It’s definitely not enough to just say the last line, but to expand a little bit

Since we know that HTTP is transmitted in plaintext, if someone uses wireShark to capture a packet, your information may be leaked, so the content sent by both parties can be seen

To solve this problem, we can use symmetric encryption to encrypt the content, that is, AES algorithm. Symmetric encryption means that both sides of communication use the same key to encrypt and decrypt the transmitted content. The process is as follows

Notice a small details, we are through the encryption to decrypt the key to complete, so the encryption over also not line, a single sender and receiver need to have the key, the key can’t be there from the start, some of the key can’t be in when I buy a computer would be ok, like I need the nuggets key, Do I have to go to the Nuggets’ server and ask for the key?

So it must be in the process of communication by the way, could you send three times (such as shaking hands after the first transmission), and the key to send the same operation because caught, there is blocked by middle of may, so the key to send is unsafe, one thousand the middlemen take my key, I later not is he saw the communication content?

So in the face of the Internet information transmission using symmetric encryption is not realistic, equivalent to a loud plot, it applies to the scene is more suitable for both sides of the communication has been agreed in advance, more information about symmetric encryption please consult, Caesar password is symmetric encryption

Asymmetric encryption

Symmetric encryption can not also asymmetric encryption, corresponding to the RSA algorithm, the core mechanism of asymmetric encryption is the public key and private key mechanism, in short, is that everyone can see the public key, and the private key only I have, can be vividly explained by the following figure

The person with the public key can put mail in my mailbox, and I have the private key to open my mailbox and take out the mail and read it

The specific process is as follows

Even if my roommate intercepts my request, he does not know what is inside. Even if his bad batch modifies the content of my package, does the server regard it as garbage data

But there are three problems with asymmetric encryption

  1. It’s slow if I’m going to be on myGETRequest encryption,GETThe request ofurlThe length ofChromeIs restricted to8182It could take a long time if all of them are encrypted
  2. How do I get your public key?
  3. How do I know it’s your public key?

Asymmetry plus symmetry

For the first question above, asymmetric encryption is slow, so I use symmetric encryption, but symmetric encryption requires a key, and transmission is risky, so I use asymmetric encryption to transmit the symmetric encryption key, as shown in the figure below

There is another question. How do I get your public key? Two computers on the Internet may be thousands of miles apart, and the public key is still transmitted through the HTTPS TLS handshake

In the process of the figure above, the main key is locally generated, cannot know middleman, and using public key encryption in the transmission process, broker without the private key cannot know, ensures the data privacy, but said earlier the key transmission can be found, also have the same problems and symmetric encryption, the broker can modify our public key, Even fake servers, as shown below

The middleman intercepts the request, tricks it with its own generated public key to sneak into the browser’s message

The digital certificate

This step is called “endorsement by well-known institution”. The well-known institution is required to prove that my “public key” is my public key. After receiving the public key, the recipient can compare with the well-known institution, which is usually called CA or Certificate Authority

Use the CA’s private key to encrypt the information provided by your server (public key and server-related information) to obtain a digital signature. When making an HTTP request to the server, the server adds the digital signature to the public key and server-related information, which is often called a digital certificate

In a nutshell, why would passing a public key like this not be used maliciously by a middleman

  1. First of all,CAThe public key is already stored on your computer, so there is no man-in-the-middle attack unless your computer has been maliciously designed
  2. Digital certificatehashThe algorithm encrypts the contents of the digital certificate, gets the digest,HashIt is one-way encryption, the middleman can not decrypt, can only be modified, but when the digital certificate arrives at the browser will be a digital signature comparison process, if found usingCAThe contents and the public key solutionCAThe encrypted contents of the private key are inconsistent, which means it’s been tampered with, and this connection is not trusted. Attention, little details, wehashAfter getting the summary, it is small enough, because the public key we provide as well as some related information may be a lot, whileRSAAsymmetric encryption is time-consuming, and it is wasteful to directly compare the text to determine whether the digital certificate has been tampered withHashthe
  3. And then the middleman intercepts itHTTPS, which replaces it with its own generated public and private keysCAThe public and private keys of an organization cannot be trusted by browsers, which use local storageCAPublic key decryption cannot be trusted. Note: there is no point in the middleman getting the server’s public key

Note that all the communication parties need to establish a trusted link is the server’s public key

In the end, an HTTPS TLS handshake is added to help you understand

conclusion

  1. HTTPSBefore establishing a request, issue a digital certificate
    1. Authentication, getting the right public key, is the right server to request
    2. Integrity verification to ensure that the public key has not been tampered with
  2. Asymmetric encryption (RSA), the browser encrypts the symmetric key with the public key and sends it to the server. The server decrypts it with the private key, and the middleman cannot obtain the information without the private key
  3. The communication parties use symmetric keys to encrypt information transmission, speed ratioRSAFast. The middleman can’t decrypt the message without knowing the symmetric key

The resources

Principles of digital signature and digital certificate