Small program has been on the line for a long time, and developers in the process of access to small programs, will encounter some problems, such as small program requirements must be done through HTTPS server communication, developers need to set up HTTPS service, SSL certificate application, deployment, complete HTTPS service build.
Not only small programs, Apple IOS platform, google,android this year also gradually forcing developers to use HTTPS access. HTTPS seems to be a "robbery", so many developers bother.
Why developers can't get Around "HTTPS"
If you want to bypass HTTPS then be sure to talk about the HTTP protocol, the HTTP protocol is a very simple and efficient protocol, most of the Internet application by default is the use of HTTP. Due to performance and the use of the environment in the 90 's, the HTTP protocol itself is not a protocol designed for security, neither identity authentication nor conformance testing, the most incompatible with the current security requirements is that all HTTP content is transmitted in plaintext.
On the other hand, the Internet is a fast-growing industry, all kinds of applications have penetrated into people's lives, whether it is games, finance, shopping, social or use the most search, these services can bring people great convenience, improve the quality of life and efficiency.
Unfortunately, most applications that use HTTP services hide a huge security risk, which is not secure. These security risks are also concentrated in the following two aspects:
1. Privacy Disclosure
Since HTTP itself is a plaintext transmission, the contents of the transfer between the user and the server can be viewed by the middleman. In other words, you can search online, shop, access the network, click on the content of information, etc., may be "middleman" access. Because the domestic attention to privacy protection is not high, and the risk is more recessive, the loss and consequences are not very good assessment. Some of the more serious privacy breaches that are known include:
QQ Landing information was stolen by criminals, and then landed in a different place, advertising and fraud.
The user's phone number and identity information is compromised. The user's search behavior in the page is compromised. Search for a hospital, for example, and soon someone will call to promote it (non-effect ads).
2. Page Hijacking
The risk of privacy leaks is not easy to find and user perception is low. But the impact of another class of hijacking is very obvious and straightforward-page hijacking, that is, directly tamper with the user's browsing page. There are a lot of page hijackers that are very simple and rude, directly plugged into third-party ads or operator traffic alerts.
HTTPS is the solution to the hijacking of nuclear weapons: Why is HTTPS a good solution to hijack it? Three major weapons:
1. Identity authentication-anti-counterfeiting, anti-repudiation
Each time a new HTTPS connection is established, the identity is authenticated to ensure that the user is accessing the correct destination site.
2. Content encryption-anti-eavesdropping
Content encryption means that the end-to-end communication is all ciphertext, the intermediary can not directly see the content, HTTPS all the application layer content is encrypted by symmetric encryption to achieve encryption and decryption.
3. Consistency check-tamper proof
Protect data integrity and consistency by preventing intermediaries from tampering with the data and the MAC code that shares the key.
Through the above introduction, I believe that developers understand why small programs, Apple IOS platform, Google, Android all want to deploy SSL certificate, this developer can not open the "robbery" is not the real robbery, but the information security transmission of the Crypto protector, is a can't bypass, "protector" Plays a very important role in the Internet to keep information from being leaked, tampered with, bugged and hijacked.
Understanding that SSL certificates are not being bypassed by developers since HTTPS