What is HTTPS, and what does SSL have to do with HTTPS

What is HTTPS

HTTPS is ' Hyper Text Transfer Protocol ' with Secure Sockets Layer (SSL)

The main idea of HTTPS is to create a secure channel on an insecure network and to provide reasonable protection against eavesdropping and inter-person attacks when the appropriate encryption packets and server certificates can be verified and trusted.
The trust inheritance for HTTPS is based on a certificate authority that is preinstalled in the browser (such as VeriSign, Microsoft, and so on) (meaning "I trust the certification authority to tell me that I should trust"). Therefore, an HTTPS connection to a Web site can be trusted, if and only if:

• Users believe that their browsers correctly implement HTTPS and that the correct certificate authority is installed;
• The user trusts that the certification authority trusts only legitimate websites;
• The website being visited provides a valid certificate, meaning that it is issued by a trusted certificate authority (most browsers warn of invalid certificates, and of course they do not.)
• The certificate correctly validates the visited web site (for example, when you access Https://example, you receive "Example INC". Rather than the certificates of other organizations);
• or the relevant node on the Internet is trustworthy, or the user believes that the encryption layer (TLS or SSL) of this protocol cannot be compromised by the listener.

What's the relationship with SSL?

As you can see from the definition

Why use HTTPS

The HTTP protocol and security protocol belong to the application layer (the highest layer of the OSI model), specifically, the security protocol works under HTTP, above the transport layer: The security protocol provides a TCP-like socket to the process that is running HTTP for the process to inject messages into it. The security protocol encrypts the message and injects it into the transport layer socket, or obtains the encrypted message from the transport layer and decrypts it to the corresponding process. Strictly speaking, HTTPS is not a separate protocol, but rather a salutation to the regular HTTP protocol that works on an encrypted connection (TLS or SSL).
Everything in the HTTPS message is encrypted, including all headers and loads. In addition to the possible selection of ciphertext attacks (see the Restrictions section), an attacker can only know the fact that there is a connection between the two.

It encrypts all headers and loads, and is relatively safe.

How about HTTPS

For a network server to be ready to accept HTTPS connections, the administrator must create a digital certificate and be signed by the certification authority to allow the browser to accept it. The certification authority verifies that the digital certificate holder and its claims are the same person. The browser usually has the certificate authority preinstalled, so they can verify the signature.

For how to work with a certification authority, the nutshell says:

1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following tasks:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc. ), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends,

In fact, with a digital signature, the boss has a private key, the employee has a public key can verify that the signature is not the boss signed, as long as the employee is sure that the public key is a credible agency to the (CA), if the roadside is of course not believe, if it is the company that is to believe in themselves.

12306 of HTTPS

In the new booking page, the China Railway Customer Service Center uses HTTPS to encrypt data, but the China Railway Customer Service Center does not use the widely recognized certificate of the digital certification authority, but uses its own signed certificate, the name of the certificate authority is "Sinorail Certificates issued by certification authority "(SRCA).
When the browser detects that there is no "Srca" certificate in its root certificate library, it prevents users from visiting the site for security reasons. To do this, the 12306 site requires users to manually install the root certificate for browser release. [22] This method is not valid for all browsers, and users need to set them individually when using certain browsers.
In addition, each SSL digital certificate has a key. General key once stolen, the formal certification body and system manufacturers will announce that this certificate is invalid, [23] for a smaller certification body, generally for the certificate set up a certificate revocation list (CRL) [24], when the key is stolen, the certificate will automatically be listed as invalid. The SRCA certificate does not have a CRL, and the system vendor does not publish an update specifically for this purpose. [25] Thus hackers may use this key to issue certificates as Srca. Once the hacker has issued this certificate to a number of malicious websites, the browser that installed the SRCA certificate will release the sites and not be able to defend against the resulting malicious attacks. For this reason, someone on the network proposed that the user immediately after the purchase of tickets to set the SRCA certificate is not trusted or simply add the ticket page to the browser trust list.
When the user starts to make a payment (when visiting pay.12306.cn), the China Railway Customer Service Center will present a valid certificate issued by VeriSign to the user, but only guarantee the user's security at the time of payment, and cannot guarantee that the hacker will use the SRCA key to re-issue the false certificate to make a malicious attack.

How to use HTTPS as a developer

Take Tom Cat as an example

• Generate your own digital certificate
• Import the certificate generated by the certification authority (this is to pass the private key to the certification authority?) ）

Http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

What is HTTPS, what is the relationship to SSL, and why use HTTPS