Disadvantages of HTTP and improvements

---restore content starts---

HTTP mainly has the following disadvantages:

Communication using plaintext (unencrypted), content may be tapped;

does not verify the identity of the communication party, so it is possible to encounter camouflage;

The integrity of the message cannot be proved, so it may have been tampered with.

What are the causes of these shortcomings? How to deal with these shortcomings?

　　Communication using plaintext may be bugged

In other words, the HTTP message is sent using an unencrypted message. Because TCP/IP is a network that is likely to be bugged, and the TCP/IP protocol family is able to make, the communication content on all communication lines are likely to be peep, even if it is already encrypted processing enough of the communication, will be peering into the communication content, because the encrypted processing of the message itself will be seen.

In this way, in order to keep the information safe in the event that the information is likely to be spied on, there are two ways to encrypt the encryption technique:

Encrypted objects	Explanation of the encryption
Encryption of communications	The HTTP protocol itself does not have an encryption mechanism, but can be used in combination with SSL or TLS, encrypted HTTP communication content, the use of SSL to establish a secure communication line, you can make HTTP communication on this line
Encryption of content	Encrypt the content contained in the HTTP message

　　

　　A disguise may be encountered without verifying the identity of the communicating party

Requests and responses in the HTTP protocol do not acknowledge the communication party.

In other words, when the HTTP protocol communicates, anyone can initiate a request because there is no processing step to confirm the communication party. In addition, the server receives a request, regardless of the other party is said to return a response (but also limited to the sending side of the IP address and port number is not restricted by the Web server set access). Therefore, the following risks occur:

① cannot determine whether the Web server that sent the request to the destination is the one that returned the response in the true intention. It is possible that the client has been spoofed.

② cannot determine whether the client returned by the response is the client that received the response in the true intent. It is possible that the client has been spoofed.

③ cannot determine whether the other person in the communication has access rights. Because important information is stored on some Web servers, only the permissions that you want to communicate to a specific user are sent. There is no way to determine where the request came from and by whom.

④ even meaningless requests will be accepted as a single order. Unable to block Dos attacks under massive requests.

So how do you identify the communication party? You can use Ssl,ssl not only to provide encryption processing, but also to use a means known as certificates that can be used to identify parties, and certificates are issued by trusted third-party organizations to prove that the server and client are actually present. In addition, it is technically difficult to forge a certificate, so as long as you can confirm the certificate held by the communication party, you can judge the true intentions of the communication party.

unable to prove message integrity, may have been tampered with

Since the HTTP protocol is unable to prove the message integrity of the communication, there is no way to confirm that the request/response and the received request/response are the same, so the attack that makes the attacker intercept and tamper with the content while the request or response is in transit is generally undetectable.

It is possible to use hash values such as MD5 and SHA-1, as well as to confirm the file's digital signature method to prevent tampering, but even so, there are large vulnerabilities, so it would be better to adopt the HTTPS protocol.

　　

From the above shortcomings and shortcomings of the processing method, we can know that a more reliable protocol needs to be created, so HTTP plus encryption processing and authentication as well as the integrity of the protection after the HTTPS technology emerged.

HTTPS is not the application layer of a new protocol, it is actually in the SSL protocol shell of HTTP, because it is usually HTTP direct and TCP communication, so when using SSL, then it becomes the first and SSL communication, and then by SSL and TCP communication. As shown:

　

Disadvantages of HTTP and improvements