The difference between HTTP and HTTPS

The difference between HTTP and HTTPS1. What is HTTP (full name Hyper Text Transfer Protocol)

HTTP Chinese 超文本传输协议 is called, it completes a series of operational processes such as client-to-server

1.1 protocols that are closely related to http: IP, TCP, and DNSIP protocol responsible for the transmission

IP Protocol Data Network layer, the role of IP protocol is to send all kinds of packets to each other. and to ensure that it is delivered to the other side, you need to meet a variety of conditions. The two important conditions are IP address and MAC address.

The IP address indicates the address to which the node is assigned, and the MAC address refers to the fixed address referred to by the network card. The IP address is paired with the MAC address and the IP address can be transformed, but the MAC address will not change.

TCP protocol to ensure reliability

TCP is located in the transport layer, providing a reliable byte stream service

BYTE stream service: In order to facilitate the transmission, the large chunks of data are divided into packets of packets to manage.

To ensure that data is delivered to the target at no error, the TCP protocol employs three handshake strategies. Of course, there are many other ways to ensure the reliability of communications, except for the three handshake strategy.

DNS service for Domain name resolution

The DNS service is the same protocol that is located at the application level as the HTTP protocol. He provides parsing services between domain names and IP addresses.

Because remembering a set of pure numbers is too difficult, and the letter plus number is the way human habits, in order to solve this problem, the DNS service operation.

2. Disadvantages of HTTP

• Communication using plaintext (not encrypted), content may be bugged
• does not verify the identity of the communicating party, so it is possible to encounter a disguise
• Failure to prove the integrity of the message, all of which may have been tampered with

3.http+ Encryption + authentication + Integrity protection = HTTPS (Secure Sockets Layer Hypertext Transfer Protocol)

HTTPS is not a new protocol for the application layer. Just the HTTP communication interface part is replaced with the SSL (Secure Socket layer) and TLS (Transport layer Security) protocol.

In general, HTTP direct and TCP communication, when using SSL, evolved into the first and SSL communication, and then by the SSL and TCP communication, in short, so-called HTTPS, in fact, is the SSL protocol of this layer of the shell HTTP.

With SSL, HTTP has the ability to secure HTTPS encryption, certificates, and integrity.

SSL is an HTTP-independent protocol, and all protocols such as SMTP (mail protocol) and Telnet running on the application layer can be used in conjunction with the SSL protocol, all of which are not only HTTP protocols. It can be said that SSL is the most widely used network security technology in the world today.

How the 4.SSL is encrypted

SSL uses an encryption method called Public key encryption (Public-key cryptography).

In modern encryption methods, the encryption algorithm is public, and the secret key is confidential, in this way can maintain the security of encryption method.

the 共享密钥加密 plight

Encrypting and decrypting the same key is called shared key encryption, also known as symmetric key encryption.

The secret must also be sent to the other party when the shared encryption method is encrypted. When the key is forwarded on the Internet, if the communication is monitored then the key will fall into the attacker's hand, and the colleague will lose the meaning of encryption.

How can we safely transfer?

with two keys. 公开密钥加密

　　公开 Key encryption is a good way to solve the problem of key 共享 encryption

Public key encryption uses a pair of asymmetric keys. One called the private key, the other called the public key.

Using public key encryption, the party sending the ciphertext uses the other's public key for encryption processing, and the other party receives the encrypted information and decrypts it using its own private key. In this way, you do not need to send a private key to decrypt, and do not have to worry about the key being hacked by the attacker and stolen away.

In addition, it is very difficult to restore the original information according to the ciphertext and the public key, because the decryption process is to evaluate the discrete logarithm, which is not easy to do. Step back, if you can quickly factorization a very large integer, then the password still exists in the hope, but the current technology is not very realistic.

HTTPS uses a hybrid encryption mechanism

HTTPS uses a hybrid encryption mechanism with both shared secret key encryption and public secret key encryption. If the key can be safely exchanged, then it is possible to consider only public key encryption for communication. However, public-key encryption and shared-key encryption are slower to process than they are.

Therefore, we should make full use of their respective advantages and combine various methods for communication. The public key encryption method is applied in the Exchange key link, and then the shared key encryption method is used to establish the communication Exchange message phase.

5. Certificate proving the correctness of the public key

Unfortunately, there are some problems with public key encryption, that is, there is no way to prove that the public key itself is a genuine public key. For example, when preparing a communication with a server for public key encryption, how to prove that the public key received is the public key that was originally intended to be issued by that server. Perhaps in the public key transmission, the real public key has been replaced by the attacker.

To address these issues, you can use 数字证书认证机构 其他相关机关颁发的公开密钥证书 the

The basic process is:

• 1. The server logs its own public key to the digital certificate certification Authority
• 2. The digital certificate Authority uses its own private key to digitally sign and issue a public key certificate to the server's public keys office
• 3. After the client gets the public key certificate of the server, it verifies the digital signature on the public key certificate of the digital certificate Authority by using the public keys of the digital certificate certification authority to confirm the authenticity of the server's public keys.
• 4. Using the server's public key to encrypt the message sent
• 5. The server decrypts the message with a private key

is 6.SSL slow ?

Because HTTPS also needs to do the server, the client side encrypts and decrypts processing, therefore consumes the CPU and the memory and so on hardware resources, compared with the HTTP communication, the SSL communication portion consumes the network resources. The SSL communication section has been extended over time due to the processing of the communication.

For a problem with slow speed, there is no fundamental solution, and we use the SSL accelerator (dedicated server) hardware to improve the problem. Compared to software, it can increase the speed of multiple SSL computations.

7. Why not always use HTTPS

Since HTTPS is so reliable and secure, why not all Web sites don't always use HTTPS?

One reason for this is that encrypted communication consumes more CPU and memory resources than plain text communications, and if each communication is encrypted, consumes considerable resources, and the number of requests that can be processed on a single computer is bound to decrease.

Therefore, if non-sensitive information is used for HTTP communication, use HTTPS encrypted communication only when sensitive data such as personal information is included to conserve resources. In addition, one of the reasons you want to save money on purchasing certificates.

How HTTPS works

We all know that HTTPS is capable of encrypting information so that sensitive information is not available to third parties, so many security-level services, such as bank websites or e-mail addresses, will use the HTTPS protocol.

1. Client initiates HTTPS request

This is nothing to say, is the user in the browser input an HTTPS URL, and then connect to the server port 443.

2, the service side of the configuration

The server with the HTTPS protocol must have a digital certificate, you can make it yourself, or you can apply to the organization, the difference is that the certificate issued by the client needs to be verified by clients to continue to access, and the use of trusted companies to apply for the certificate will not pop up the prompt page (Startssl is a good choice, There are 1 years of free service).

This set of certificates is actually a pair of public and private keys, if the public key and the private key is not understood, you can imagine a key and a lock, but the whole world only you have this key, you can give the lock to others, others can use this key to lock up the important things, and then send you, because only you have this key, So only you can see what is locked up by this lock.

3. Transfer Certificate

This certificate is actually the public key, but contains a lot of information, such as the certificate Authority, expiration time and so on.

4. Client Resolution Certificate

This part of the work is done with the client's TLS, first verify that the public key is valid, such as the authority, expiration time, and so on, if an exception is found, a warning box pops up, prompting for a problem with the certificate.

If there is no problem with the certificate, then a random value is generated and the random value is encrypted with the certificate, as stated above, locking the random value with a lock so that the locked content is not visible unless the key is there.

5. Transmitting encrypted information

This part transmits the random value that is encrypted with the certificate, the purpose is to let the server to get this random value, the client and the service side of the communication can be encrypted by this random value to decrypt.

6. Service Segment Decryption Information

After the server is decrypted with the private key, the client passes the random value (the private key), and then the content through the value of symmetric encryption, the so-called symmetric encryption is, the information and the private key through some kind of algorithm mixed together, so that unless the private key, otherwise can not get the content, and just the client and the server know this private So as long as the encryption algorithm is sturdy enough, the private key is complex enough to secure the data.

7, the transmission of information after encryption

This part of the information is the service segment with the private key encrypted after the information, can be restored on the client.

8. Client Decryption Information

The client uses the previously generated private key to decrypt the information sent by the service segment, and then obtains the decrypted content, the whole process even if the third party hears the data, also helpless

Transferred from: https://www.jianshu.com/p/37654eb66b58

The difference between HTTP and HTTPS