Big God gives you the analysis of the difference between HTTPS and HTTP

Today, when doing Yahoo, found that using third-party tools to intercept the client and the service side of the communication, has not encountered this situation, looked carefully, its URL request based on HTTPS, GG found the original HTTPS protocol and HTTP has a great difference. Overall, HTTP is more efficient and HTTPS security is higher.

first talk about what is https:

HTTPS (Secure hypertext Transfer Protocol) Secure Hypertext Transfer Protocol It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which simply means that it is a secure version of HTTP. It is developed by Netscape and built into its browser to compress and decompress data and return the results that are sent back on the network.

HTTPS actually applies the Netscape secure full Socket Layer (SSL) as a sub-layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80来 and TCP/IP to communicate like HTTP.) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. HTTPS and SSL support use of the digital authentication of the number, and if necessary, the user can confirm who the sender is.

HTTPS and HTTP differ:

The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee.  http is a Hypertext Transfer Protocol, the information is plaintext transmission,https  is a secure SSL encryption transport protocol  http and HTTPS using a completely different connection mode with the port is not the same, the former is 80, the latter is 443. The connection to

HTTP is simple, the stateless  https protocol is a ssl+http protocol that can be encrypted, authenticated network protocols   issues that are more secure than the HTTP protocol  https:

1 .  Trust host Problem .  https  server  must request a certificate from ca  to prove the server's purpose type .  change certificate only for the corresponding server   Time, customers trust the sub-host .  so now all the banking system website, the key part of the application are https  .  customers trust the certificate, thereby trusting the host .  in fact, this is inefficient, But banks are more focused on security .  This does not make any sense to us, our server , the use of certificates whether they issue  or from the public place issue,  clients are our own, So we are sure to trust the server.

2 .  The disclosure and tampering of data in the communication process
The general sense of https,  is that  server  has a certificate.

• A) The main purpose is to ensure that server is the server he claims to be. This is the same as the 1th.
• b) All communication between the server and the client is encrypted. I. Specifically, the client generates a symmetric key that is exchanged through the server's certificate. The handshake process in the general sense. II. All information exchanged is encrypted. A third party, even if intercepted, does not make any sense. Because he doesn't have a key. Of course, there's no point in tampering.

In the case of a small client requirement, the client must also have a certificate.

• a)   Here the client certificate, in fact, similar to the expression of personal information, in addition to the user name/password,  also has a ca  authenticated identity .  should be a personal certificate in general, others can not be simulated, All this can be a deeper confirmation of your identity.
• b)   Currently a small number of personal banking Professional Edition is this practice, the specific certificate may be to take a USB flash drive as a backup carrier. Like I used the Bank of communications online banking is to take this way.  HTTPS  must be cumbersome.  a)   Original simple HTTP protocol, a get one response.  due to https  to also key and confirm the need for cryptographic algorithms. One handshake takes 6/7.   round trip . i.  in any application, too much round trip  definitely affects performance.  b)   Next is the specific HTTP protocol, each response or request,  Both the client and the server are required to encrypt/decrypt the contents of the session . i.  although the symmetric encryption/decryption efficiency is high, but still consumes too much CPU, for this there is a special ssl  chip .  if cpu  letter can be relatively low, Will certainly degrade performance, thus not serve  more requests.

Symbol: SSL Introduction:

SSL is a security-confidentiality protocol presented by Netscape companies in browsers such as Internet explorer, Netscape navigator, and Web servers ( such as Netscape Netscape enterprise server, coldfusion server, etc.) between the construction of a secure channel for data transmission, SSL runs above the TCP/IP layer, the application layer, Provides an encrypted data channel for applications that uses cryptographic algorithms such as RC4, md5 , and RSA, using 40 -bit keys for encryption of business information.

At the same time, Netscape company developed the HTTPS protocol and built in its browser, HTTPS is actually ssl over http, it uses the default port 443, instead of using ports 80来 and tcp/like HTTP IP for communication. HTTPS protocol uses SSL in the sender to encrypt the original data, and then after the   to decrypt the receiver, encryption and decryption requires the sender and receiver by exchanging the common known key to achieve, therefore, the transmitted data is not easy to be intercepted and decrypted by the network hacker.   However, the encryption and decryption process requires a large amount of overhead on the system, severely reducing the performance of the machine, and the relevant test data indicates that the efficiency of data transfer using the HTTPS protocol is only one of the 10   points transmitted using the HTTP protocol.

If, for security purposes, all Web applications of a Web site are encrypted with SSL technology and transmitted using the HTTPS protocol, the performance and efficiency of the site will be greatly reduced, and   is not necessary, Because in general not all data require such a high level of security, we only need to use the HTTPS protocol for interactive processing involving confidential data, so that we can get the best of both worlds. In short, do not need to use https  place, try not to use.

Reprint: http://www.topthink.com/topic/9278.html

Big God gives you the analysis of the difference between HTTPS and HTTP