What is HTTPS, the difference between HTTP and HTTPS

　　What is https:

　　HTTPS (Secure hypertext Transfer Protocol) Secure Hypertext Transfer Protocol

It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, in short, it is a secure version of HTTP.

It is developed by Netscape and built into its browser to compress and decompress data, and to return the results that are sent back over the network. HTTPS actually applies Netscape's secure full Sockets Layer (SSL) as a child layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80来 and TCP/IP for communication like HTTP.) SSL uses the 40-bit keyword as the RC4 stream encryption algorithm, which is appropriate for business information encryption. HTTPS and SSL support use X.509 digital authentication, and users can confirm who the sender is if needed.

　The difference between HTTPS and http:

HTTPS protocol requires a CA to request a certificate, the general free certificate is very few, need to pay a fee.

HTTP is a Hypertext Transfer Protocol, the message is transmitted in clear text, and HTTPS is a secure SSL encrypted transport protocol.

HTTP and HTTPS use a completely different connection. The same port is not the same, the former is 80, the latter is 443.

HTTP connections are simple and stateless

HTTPS protocol is a network protocol constructed by Ssl+http protocol which can encrypt transmission and authentication, and is more secure than HTTP protocol.

　　Issues addressed by https:

1. The problem of trusting the host. The server with HTTPS must request a certificate from the CA for proof of the server purpose type. Change the certificate only when used for the corresponding server, the customer only trust the secondary host. So at present all the Bank system website, the key part application is HTTPS. The client trusts the host by trusting the certificate. This is actually inefficient, but banks are more focused on safety. This does not make any sense to us, our server, the use of the certificate regardless of their own issue or from the public place issue, the client is our own, so we will certainly trust the server.

2. Disclosure and tampering of data in the communication process

1. In general, HTTPS means that the server has a certificate.

A The main purpose is to ensure that the server is the server he claims to be. This is the same as 1th.

b All communications between the server and the client are encrypted.

I. Specifically, the client produces a symmetric key, exchanging the key through the server's certificate. The handshake process in the general sense.

II. All the information exchanged is encrypted. Even interception by a third party doesn't make any sense. Because he doesn't have a key. Of course, there's no point in tampering.

2. The client must also have a certificate if a few requests are requested from the client.

A the client certificate here, in fact, similar to the personal information, in addition to user name/password, there is a CA authenticated identity. Should be a personal certificate in general, others can not simulate, all this can further confirm their identity.

b currently a small number of personal banking Professional Edition is this practice, the specific certificate may be a U disk as a backup of the carrier.

HTTPS must be tedious.

A) Originally simple HTTP protocol, a get a response. Because HTTPS needs to return the key and confirm the encryption algorithm. A single handshake requires 6/7 round-trip.

I. In any application, excessive round trip definitely affects performance.

b Next is the specific HTTP protocol, and each response or request requires the client and server to encrypt/decrypt the contents of the session.

I. Although symmetric encryption/decryption efficiency is high, but still consumes too much CPU, for this there is a dedicated SSL chip. If the CPU letter can be low, it will certainly degrade performance, thus can not serve more requests.

Ii. the effect of data volume after encryption.

1. I tested it with a 128bit RC2, and the number of encryption is basically the same as before encryption.

　　Character: Introduction to SSL:

SSL is a security NDA proposed by Netscape, in browsers such as Internet Explorer, Netscape Navigator, and Web servers, such as Netscape, Netscape Enterprise Server, ColdFusion server and so on) to construct a secure channel for data transmission, SSL running on the TCP/IP layer, under the application layer, to provide the application encryption data channel, it uses the RC4, MD5 and RSA encryption algorithms, using a 40-bit key, Applies to the encryption of business information. At the same time, Netscape developed the HTTPS protocol and built it into its browser, HTTPS is actually SSL over HTTP, it uses the default port 443, instead of using port 80来 and TCP/IP for communication like HTTP. The HTTPS protocol uses SSL to encrypt the raw data on the sender and then decrypt it on the receiver, which requires the sender and receiver to exchange a shared secret key, so the data transmitted is not easily intercepted and decrypted by the network hacker.

However, the encryption and decryption process requires a large amount of overhead to reduce the performance of the machine, which indicates that the efficiency of data transfer using HTTPS protocol is only one-tenth of that transmitted using the HTTP protocol. If, for security purposes, all Web applications on a Web site are encrypted with SSL and are transmitted using the HTTPS protocol, the performance and efficiency of the site will be significantly reduced and not necessary because, in general, not all data require such a high level of security secrecy, We only need to use HTTPS protocol for interactive processing involving confidential data, so that we can have both the fish and the cake. In short, do not need to use the place HTTPS, try not to use.