HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information. In order to solve this flaw of the HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS, in order to secure the data transmission, HTTPS on the basis of HTTP addedSSL protocol, SSL relies on certificates to verify the identity of the server and encrypt communication between the browser and the server. Basic Concepts: HTTP: Is the most widely used Internet protocol, is a client and server-side request and response Standard (TCP), used to transfer from the WWW server hypertext to the local browser of the transport protocol, it can make the browser more efficient, so that network transmission reduced. https: is a security-targeted HTTP channel, simply speaking is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security base is SSL, so the details of encryption requires SSL. The main functions of the HTTPS protocol can be divided into two types: one is to create aInformation Security channelto ensure the security of data transmission, and the other is to confirm that the websiteauthenticity. differenceThe SSL (Secure Sockets Layer) protocol is used to encrypt the data transmitted by the HTTP protocol, resulting in the creation of HTTPS. In simple terms, the HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication , which is more secure than the HTTP protocol. The main differences between HTTPS and HTTP are as follows: 1, the HTTPS protocol requires a certificate to the CA, generally less free certificate, and therefore a certain cost. 2, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol. 3, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443. 4, the HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol. Third, the working principle of HTTPS
Iv. Advantages of HTTPSAlthough HTTPS is not completely secure, the organization that holds the root certificate and the organizations that master the cryptographic algorithms can also attack in the form of an intermediary, but HTTPS is still the safest solution under the current architecture, with the following benefits:(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol which can encrypt transmission and authentication, which is more secure than the HTTP protocol, which prevents the data from being stolen, changed and ensured the integrity of the data in the transmission process. (3) HTTPS is the safest solution under the current architecture, although not completely secure, but it dramatically increases the cost of a man-in-the-middle attack. (4) Google adjusted the search engine algorithm in August 2014, saying that "sites with HTTPS encryption will be ranked higher in search results than equivalent HTTP sites." v. Disadvantages of HTTPSAlthough it is said that HTTPS has a great advantage, but its relative, there are shortcomings:(1) The HTTPS protocol handshake phase is time-consuming, will increase the page load times by nearly 50%, increasing the power consumption of 10% to 20%;(2) HTTPS connection cache is less efficient than HTTP, increasing data overhead and power consumption, and even existing security measures will be affected;(3) SSL certificate requires money, the more powerful the higher the cost of the certificate, personal website, small site is not necessary generally not used. (4) SSL certificates usually need to bind IP, not the same IP binding multiple domain names, IPV4 resources can not support this consumption. (5) HTTPS protocol encryption range is also relatively limited, in the hacker attacks, denial of service attacks, server hijacking and other aspects of almost no role. The most critical, SSL certificate of the credit chain system is not secure, especially if some countries can control the CA root certificate in the case of a man-in-the-middle attack as feasible. six, HTTP switch to HTTPSWhat if you need to switch your Web site from http to https? all links in the page, such as js,css, images, and so on, need to be changed from HTTP to HTTPS. For example:Http://www.baidu.cominsteadHttps://www.Baidu.comBTW, although HTTP is switched to HTTPS, it is recommended to keep HTTP. So we can do the HTTP and HTTPS compatibility when switching, the implementation is to remove the HTTP header in the page link, which can automatically match the HTTP headers and HTTPS headers. For example, theHttp://www.baidu.comchange to//Www.baidu.com. Then when the user enters the access page from the HTTP entry, the page is HTTP, and if the user is accessing the page from the HTTPS portal, the page is even https. //https://www.cnblogs.com/wqhwe/p/5407468.html
HTTP and HTTPS
