HTTP VS HTTPS

Source: Internet
Author: User
Tags ssl certificate ssl connection

  • The concept of Htpps and HTTP

    HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). The initial development of the system, conducted by Netscape, provides an authentication and encryption method of communication, which is now widely used in security-sensitive communications on the World Wide Web, such as transaction payments.

    The Hypertext Transfer Protocol (Http-hypertext Transfer Protocol) is a rule that specifies the communication between the browser and the World Wide Web server, transmitting the data transfer Protocol of the World Wide Web document over the Internet.

  • The difference between HTTPS and http:

    The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee. HTTP is a Hypertext Transfer Protocol, the information is clear-text transmission, HTTPS is a security SSL encryption transport protocol HTTP and HTTPS using a completely different connection mode with the port is not the same, the former is 80, the latter is 443. HTTP connection is very simple, is a stateless HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, authentication network protocol than the HTTP protocol security HTTPS resolved problem: 1. The problem of trusting the host. Server with HTTPS must request a certificate from the CA that is used to certify the server's purpose type. The client trusts the secondary host only when the certificate is used for the corresponding server. So at present, all the banking system website, the key part of the application is HTTPS. The client trusts the host by trusting the certificate. In fact, this is inefficient, but banks are more focused on security. This does not make any sense to us, our server, the use of certificates regardless of their own issue or from the public place issue, the client is one of our own, so we will certainly trust the SERVER.2. The data in the communication process is compromised and tampered with 1. HTTPS in the general sense is that the server has a certificate. A) The main purpose is to ensure that the server is the server he claims to be. This is the same as the 1th. B) All communications between the server and the client are encrypted. Specifically, the client generates a symmetric key that is exchanged through the server's certificate. The general handshake process. II. All information exchanged is encrypted. A third party, even if intercepted, does not make any sense. Because he doesn't have a key. Of course there is no point in tampering. 2. A small number of requests to the client will require that the client also have a certificate. A) Here the client certificate, in fact, similar to the personal information, in addition to the user name/password, there is a CA authenticated identity. Should be a personal certificate in general, others can not be simulated, all this will be able to further confirm their identity. B) At present a small number of personal banking Professional Edition is this practice, the specific certificate may be a USB flash drive as a backup carrier. HTTPS must be cumbersome. A) The original simple HTTP protocol, A get one response. Because HTTPS is required to also encrypt the key and confirm the encryption algorithm. A single handshake requires 6/7 round trips. In any application, too much round trip must affect performance. b) The next is the specific HTTP protocol, each response or request requires the client and the server to encrypt/decrypt the contents of the session. I. Although symmetric encryption/decryptionHigh efficiency, but still consume too much CPU, for this there is a special SSL chip. If the CPU signal is low, it will certainly degrade performance, thus not serve more requests. Ii. The effect of the amount of data after encryption. So, there are so many security certification tips

  • The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server, the HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.

    In order to solve this flaw of the HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS, in order to secure the data transmission, HTTPS on the basis of HTTP added SSL protocol, SSL relies on certificates to verify the identity of the server, and encrypt the communication between the browser and the server.

    I. Basic concepts of HTTP and HTTPS

    HTTP: Is the most widely used Internet protocol, is a client and server-side request and response Standard (TCP), used to transfer from the WWW server hypertext to the local browser of the transport protocol, it can make the browser more efficient, so that network transmission reduced.

    HTTPS: is a security-targeted HTTP channel, simply speaking is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security base is SSL, so the details of encryption requires SSL.

    The main role of HTTPS protocol can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.

    Second, what is the difference between HTTP and HTTPS?

    The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very unsafe to transmit private information using the HTTP protocol, so that the privacy data can be encrypted for transmission, so Netscape Designs SSL (Secure Sockets Layer) protocol is used to encrypt the data transmitted by the HTTP protocol, resulting in the creation of HTTPS. In simple terms, the HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

    The main differences between HTTPS and HTTP are as follows:

    1, the HTTPS protocol requires a certificate to the CA, generally less free certificate, and therefore a certain cost.

    2, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.

    3, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.

    4, the HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

    Third, the working principle of HTTPS

    We all know that HTTPS is capable of encrypting information so that sensitive information is not available to third parties, so many security-level services, such as bank websites or e-mail addresses, will use the HTTPS protocol.

    The client has several steps to communicate with the Web server using HTTPS.

    (1) The client uses HTTPS URL to access the Web server and requires an SSL connection with the Web server.

    (2) When a Web server receives a client request, it sends a copy of the Web site's certificate information (the certificate contains the public key) to the client.

    (3) The client's browser and the Web server begin to negotiate the security level of the SSL connection, which is the level of information encryption.

    (4) The client's browser establishes the session key according to the security level agreed by both parties, then encrypts the session key using the public key of the website and transmits it to the website.

    (5) The Web server decrypts the session key using its own private key.

    (6) The Web server uses the session key to encrypt communication with the client.

    Iv. Advantages of HTTPS

    Although HTTPS is not completely secure, the organization that holds the root certificate and the organizations that master the cryptographic algorithms can also attack in the form of an intermediary, but HTTPS is still the safest solution under the current architecture, with the following benefits:

    (1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;

    (2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol which can encrypt transmission and authentication, which is more secure than the HTTP protocol, which prevents the data from being stolen, changed and ensured the integrity of the data in the transmission process.

    (3) HTTPS is the safest solution under the current architecture, although not completely secure, but it dramatically increases the cost of a man-in-the-middle attack.

    (4) Google adjusted the search engine algorithm in August 2014, saying that "sites with HTTPS encryption will be ranked higher in search results than equivalent HTTP sites."

    V. Disadvantages of HTTPS

    Although it is said that HTTPS has a great advantage, but its relative, there are shortcomings:

    (1) The HTTPS protocol handshake phase is time-consuming, will increase the page load times by nearly 50%, increasing the power consumption of 10% to 20%;

    (2) HTTPS connection cache is less efficient than HTTP, increasing data overhead and power consumption, and even existing security measures will be affected;

    (3) SSL certificate requires money, the more powerful the higher the cost of the certificate, personal website, small site is not necessary generally not used.

    (4) SSL certificates usually need to bind IP, not the same IP binding multiple domain names, IPV4 resources can not support this consumption.

    (5) HTTPS protocol encryption range is also relatively limited, in the hacker attacks, denial of service attacks, server hijacking and other aspects of almost no role. The most critical, SSL certificate of the credit chain system is not secure, especially if some countries can control the CA root certificate in the case of a man-in-the-middle attack as feasible.

    Six, HTTP switch to HTTPS

    What if you need to switch your Web site from http to https?

    All links in the page, such as js,css, images, and so on, need to be changed from HTTP to HTTPS. For example: http://www.baidu.com change to Https://www.baidu.com

    BTW, although HTTP is switched to HTTPS, it is recommended to keep HTTP. So we can do the HTTP and HTTPS compatibility when switching, the implementation is to remove the HTTP header in the page link, which can automatically match the HTTP headers and HTTPS headers. For example: Change http://www.baidu.com to//www.baidu.com. Then when the user enters the access page from the HTTP portal, the page is HTTP, and if the user is accessing the page from the HTTPS portal, the page even if the HTTPS

HTTP VS HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.