HTTP (Hyper-Text Transfer Protocol)

A protocol that belongs to the application layer

Disadvantages:

1. Communication using plaintext (not encrypted), content may be bugged
2. does not verify the identity of the communicating party, so it is possible to encounter a disguise
3. Cannot prove the integrity of the message, so it may have been tampered with

Advantages:

1. Fast transmission speed

Https

HTTPS is not a new protocol for the application layer. Only the HTTP communication interface portion is replaced with SSL (Secure Sockets Layer) and TLS (Secure Transport Layer protocol). That is, HTTP is called HTTPS (http Secure), which adds encryption and authentication mechanisms.

HTTP + encryption + authentication + Integrity protection = HTTPS

Use public key encryption for two keys

Public key encryption uses a pair of asymmetric keys. One is called the private key and the other is the public key. The private key cannot be known to anyone else, and the public key can be freely published and available to anyone. Using public key encryption, the party sending the cipher uses the other's public key for encryption, and the other party receives the encrypted information and then decrypts it with its own private key. This way, you do not need to send the private key to decrypt, do not have to worry about the key by the attacker eavesdropping and stolen away.

Process

The ① server logs its public key to the digital certification authority.
The ② digital Certificate Authority deploys its own private key to the server's public password to deploy the digital signature and issue the public key certificate.
After the ③ client has received the server's public key certificate, the digital certificate certification authority is used to authenticate with the digital certificate authorities by using the public keys of the digital certification authority. To confirm the authenticity of the server public key.
④ is sent using the server's public key to encrypt the message.
The ⑤ server decrypts the message with a private key.

Steps for HTTPS communication

① client sends messages for SSL communication. The message contains the specified version of SSL supported by the client, a list of cryptographic components (encryption algorithm and key length, etc.).
The ② server answers and includes the SSL version and cryptographic components in the reply message. The contents of the server's cryptographic components are filtered from the received client cryptographic component.
The ③ server sends a message that contains a public key certificate.
The ④ server sends a message to notify the client that the initial phase of the SSL Handshake Negotiation Section ends.
⑤ssl after the first handshake is over, the client sends a message as a response. The message contains a random cipher string called Pre-master secret used in communication encryption. The password string has been encrypted using the server's public key.
The ⑥ client sends the message and prompts the server, and thereafter the message communication is encrypted with the Pre-master secret key.
The ⑦ client sends a finished message. This message contains the overall checksum value of all messages connected to date. Whether the handshake negotiation can be completed successfully, the server can correctly decrypt the message as a criterion.
The ⑧ server also sends a change Cipher spec message.
The ⑨ server also sends finished messages.
After the finished message exchange between the ⑩ server and the client is complete, the SSL connection is established.
The application layer protocol communicates, that is, the HTTP response is sent.
? Finally, the client disconnects the link. When the link is broken, the close_nofify message is sent.

First, what is HTTPS

Before talking about HTTPS, say what is Http,http is a protocol that we use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very insecure to use the HTTP protocol to transmit private information. To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used for the time being.
\ n

Second, is HTTPS safe?

The answer is yes, it's safe. Google has moved to aggressively promote the use of HTTPS, in the next few weeks, Google will be all the world's local domain name to enable HTTPS, users just sign in before the search with Google Account, and then all the search operations will use the TLS protocol encryption,
\ n

Third, the working principle of HTTPS

HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:
1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following tasks:

A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.

b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.

c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:

A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.

b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.
Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:
Asymmetric Encryption algorithm: RSA,DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.
If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information. It is because HTTPS is very safe, attackers can not find the place to start, so more is the use of fake certificates to deceive clients, so as to obtain clear text information, but these methods can be identified, I will be in the subsequent article to tell. But 2010 years, security experts have found a vulnerability in the TLS 1.0 protocol: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/.
In fact, this type of attack, known as Beast, has been discovered by security experts since 2002, but not publicly. The vulnerability has now been fixed by Microsoft and Google. See: Http://support.microsoft.com/kb/2643584/en-us https://src.chromium.org/viewvc/chrome?view=rev&revision= 90643

HTTP (Hyper-Text Transfer Protocol)