HTTP and HTTPS protocols

Source: Internet
Author: User
Tags decrypt asymmetric encryption

What is the HTTP protocol?
Simply put, is a communication specification based on the application layer: the two sides to communicate, everyone must abide by a specification, this specification is the HTTP protocol.
What can the HTTP protocol do?
A lot of people must first think: Browse the Web. Yes, browsing the web is the main application of HTTP, but this does not mean that HTTP can only be applied to web browsing. HTTP is a protocol in which HTTP can be useful as long as both parties to the communication adhere to this protocol. For example, we commonly used QQ, thunder these software, will use the HTTP protocol (also includes other protocols).
How does the HTTP protocol work?
We all know the general communication flow: First the client sends a request to the server, and the server generates a response (response) back to the client after receiving the request.

What is https:
HTTPS (Securehypertext transferprotocol) Secure Hypertext Transfer Protocol It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which simply means that it is a secure version of HTTP. It is developed by Netscape and built into its browser to compress and decompress data and return the results that are sent back on the network. HTTPS actually applies the Netscape secure full Socket Layer (SSL) as a sub-layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80来 and TCP/IP to communicate like HTTP.) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. HTTPS and SSL support use of the digital authentication of the number, and if necessary, the user can confirm who the sender is.

HTTPS Transport Protocol principle

Two kinds of basic encryption and decryption algorithms

1. Symmetric encryption: The key is only one, encryption and decryption of the same password, and encryption and decryption speed, the typical symmetric encryption algorithm has DES, AES and so on

2. Asymmetric encryption: The key in pairs appear (and according to the public key can not infer the private key, according to the private key can not infer the public key), encryption and decryption using different keys (public key encryption requires private key decryption, private key encryption requires public key decryption), relatively symmetric encryption speed is slow, the typical asymmetric encryption algorithm has RSA, DSA, etc.

The difference between HTTPS and http:
The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee.

HTTP is the Hypertext Transfer Protocol, the information is clear-text transmission, HTTPS is a security SSL encryption transport protocol HTTP and HTTPS use a completely different connection mode with the port is not the same, the former is 80, the latter is 443. HTTP connection is simple, is a stateless HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, authentication network protocol than the HTTP protocol security.  
https resolves the problem:
 1. The problem of trusting the host. Server with HTTPS must request a certificate from the CA to prove the type of server use. The client trusts the secondary host only when the certificate is used for the corresponding server. So now all the banking system website, the key part of the application is HTTPS. The client trusts the host by trusting the certificate. This is actually inefficient, but the banks are more focused on security. This does not make any sense to us, our server, the use of certificates regardless of their own issue or from the public place issue, the client is one of our own, so we will certainly trust the server.
 2. The disclosure and tampering of data in the communication process
    1. HTTPS in general means that the server has a certificate.
    a) The main purpose is to ensure that server is the server he claims to be. This is the same as the 1th. (i. Specifically, the client generates a symmetric key that is exchanged through the server's certificate.) The general handshake process.)

b) All communication between the server and the client is encrypted. (ii) All information exchanged is encrypted. Third parties, even if intercepted, do not make any sense. Because he doesn't have a key, and of course it doesn't make sense to tamper with it.
2. A small amount of client-side requirements, the client will also be required to have a certificate.
A) Here the client certificate, in fact, similar to the personal information, in addition to the user name/password, there is a CA authenticated identity. Should be a personal certificate in general, others cannot emulate, all of which can further confirm their identity.
b) Currently a small number of personal banking Professional Edition is this practice, the specific certificate may be to take a USB flash drive as a backup carrier. HTTPS must be cumbersome.
3. Disadvantages of transmission efficiency

A) originally a simple HTTP protocol, a get a response. Required by HTTPS to also encrypt the key and confirm the encryption algorithm. A single handshake requires 6/7 round trips, and in any application, too much round trip definitely affects performance.
b) Next is the specific HTTP protocol, each response or request, requires the client and server to encrypt/decrypt the contents of the session, although the symmetric encryption/decryption efficiency is high, but still consumes too much CPU, for this there is a dedicated SSL chip. If the CPU is low, Will certainly degrade performance, thus not serve more requests.

Introduction to SSL:

SSL is a security-confidentiality protocol proposed by Netscape companies in browsers such as InternetExplorer, Netscape Navigator, and Web servers such as Netscape Netscape, Coldfusionserver, etc.) between the construction of a secure channel for data transmission, SSL runs on the TCP/IP layer, under the application layer, for the application to provide encrypted data channel, it uses the RC4, MD5 and RSA encryption algorithms, using 40-bit key, For encryption of business information. At the same time, Netscape company developed the HTTPS protocol and built in its browser, HTTPS is actually ssloverhttp, it uses the default port 443, instead of using port 80来 and TCP/IP to communicate like HTTP. The HTTPS protocol uses SSL to encrypt the original data in the sender, then decrypt the receiver, the encryption and decryption needs the sender and the receiver by exchanging the common known key, so the transmitted data is not easy to be intercepted and decrypted by the network hacker. However, the encryption and decryption process requires a large amount of overhead on the system, severely reducing the performance of the machine, and the relevant test data indicates that the efficiency of data transfer using the HTTPS protocol is only one-tenth of the HTTP protocol.

How to select the HTTP and HTTPS protocols:


If for security purposes, all Web applications of a website are SSL-enabled to encrypt and transmit using the HTTPS protocol, then the performance and efficiency of the site will be greatly reduced, and it is not necessary because generally not all data are required to be so high level of security, so, We only need to use the HTTPS protocol for interactive processing involving confidential data, so that we can get the best of both worlds. In short, do not need to use the place of HTTPS, try not to use.


HTTP and HTTPS protocols

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.