Misunderstanding of HTTPS (i)

Hello everyone, SSL certificate more and more people's attention, often someone will say that HTTPS only need to login page, and will make the site speed down, easy dimensional letter (Evtrust) to everyone to clarify some of the HTTPS protocol prone to misunderstanding, the growth of some Web page encryption knowledge of communication.

Misunderstanding one: Only the login page is registered, HTTPS is required

This idea is common. People feel that HTTPS can protect the user's password, and it is not necessary. The new Firefox browser plugin, Firesheep, proves the idea is wrong. We can see that it's easy to hijack other people's session on Twitter and Facebook.

The free wifi in the café is an ideal hijacking environment for two reasons:

1. This wifi is usually not encrypted, so it is easy to monitor all traffic.

2. WiFi typically uses NAT for both extranet and intranet address translation, and all intranet clients share an external network address. This means that the hijacked session looks much like the original login. In Twitter, for example, its login page uses HTTPS, but after logging in, the other pages become HTTP. At this point, the session value in its cookie is exposed. In other words, these cookies are created in an HTTPS environment, but they are transmitted in an HTTP environment. If someone has hijacked these cookies, then he can speak to you on Twitter as you are.

650) this.width=650; "Width=" 619 "height=" 575 "alt=" misunderstanding one: only the login page is registered, HTTPS "src=" is required http://www.evtrust.com/faq/images/ Https.png "/>

Misunderstanding two: It's safe to have Https,cookie and query strings.

Although cookies and query strings cannot be read directly from HTTPS data, you still need to make their values unpredictable.

For example, there used to be a British bank that directly uses sequential numbers to denote session IDs:

650) this.width=650; "Width=" 560 "height=" "alt=" "Cookies" src= "Http://www.evtrust.com/faq/images/https-1.png"/>

Hackers can register an account, find this cookie, and see how this value is represented. Then, change the cookie to hijack the other person's session ID. As for query strings, they can also be leaked in a similar way.

Misunderstanding three: HTTPS is too slow

Using HTTPS does not make your site faster (it is actually possible, see below), but there are some tricks that can greatly reduce the extra overhead.

First, as long as the text content is compressed, it reduces the CPU resources that are consumed by decoding. However, this overhead is trivial for modern CPUs.

Second, an HTTPS connection is required, requiring additional TCP round trips, so that some bytes are sent and received. However, as you can see, the number of new bytes is very small.

650) this.width=650; "Width=" 654 "height=" 302 "alt=" Establish HTTPS connection "src=" Http://www.evtrust.com/faq/images/https-6.png "/ >

The first time you open a webpage, the HTTPS protocol is a bit slower than the HTTP protocol because of the time it takes to read and verify the SSL certificate. Below is a waterfall diagram of the time the HTTP Web page was opened.

650) this.width=650; "Width=" 602 "height=" 318 "alt=" HTTP Web page Open time Waterfall "src=" http://www.evtrust.com/faq/images/ Https-5.png "/>

After the same Web page uses the HTTPS protocol, the opening time becomes longer.

650) this.width=650; "Width=" 602 "height=" 318 "alt=" a Web page using the HTTPS protocol "src=" http://www.evtrust.com/faq/images/ Https-4.png "/>

The part that establishes the connection is about 10% slower. However, once a valid HTTPS connection is established and the Web page is refreshed, there is little difference between the two protocols. First the HTTP protocol refresh performance:

650) this.width=650; "Width=" 602 "height=" 318 "alt=" http Protocol "src=" Http://www.evtrust.com/faq/images/https-3.png "/ >

Then the HTTPS protocol:

650) this.width=650; "Width=" 602 "height=" 306 "alt=" https protocol "src=" Http://www.evtrust.com/faq/images/https-2.png "/ >

Some users may find that HTTPS is a bit faster than HTTP. This can happen in the internal LANs of some large companies, as the company's gateways typically intercept and analyze all network traffic. However, when it encounters an HTTPS connection, it can only be released directly, because HTTPS cannot be interpreted. It is because of the lack of this interpretation process, so HTTPS becomes relatively fast.

Misunderstanding of HTTPS (i)