From making https safer, talk about HTTPS

With the public's increasing attention to network security, a variety of network security protection methods emerge. HTTPS everywhere as an effective means to improve the security of HTTPS, the security and practicality has been strengthened again recently.

Although HTTPS can effectively improve the security of users to browse the Web, but there are still problems will become hackers to steal data loopholes.

For the current HTTPS part of the defect, we can use the browser plug-in to make up, such as the chrome store HTTPS Everywhere, can effectively reduce the user online risk, but because of the https Everywhere extension and rules are one, Causes users to frequently update to the latest version of the plugin, affecting the user's use.

To address this problem, the EFF (Electronic Sentinel Foundation) will split the ruleset and extension to achieve sustainable updates. After the extension is installed, it periodically checks the list and downloads the latest list when available.

This method can be the security of HTTPS again, see here Some readers will ask, what is HTTPS, why it can protect our data security?

What is HTTPS

HTTPS (hypertext Transfer Protocol Secure) is a transport protocol designed to secure communications on a computer network. SSL layer is added under HTTP, which has the function of protecting the privacy and integrity of exchanging data and providing authentication to the website server, which simply means the security version of HTTP.

HTTP, HTTPS differences

HTTPS Access Process

HTTPS does a handshake with the Web server and Web browser prior to data transfer, and determines the encryption password information for both parties when shaking hands.

The process is as follows:

1. The Web browser sends the supported encryption information to the Web server;

2. The Web server chooses a set of cryptographic algorithms and hashing algorithms to send the authenticated information to the Web browser in the form of a certificate (certificate issuing CA Authority, certificate validity period, public key, certificate owner, signature, etc.);

3. When a Web browser receives a certificate, it first needs to verify the validity of the certificate, and if the certificate is trusted by the browser, it will be displayed in the browser address bar, otherwise the untrusted identity will be displayed. When the certificate is trusted, the Web browser randomly generates a string of passwords and encrypts them using the public key in the certificate. Then it uses the agreed-upon hash algorithm handshake message and generates a random number to encrypt the message, then sends the previously generated information to the website;

4. When the Web server receives the data sent by the browser, it uses the private key of the website itself to decrypt the information to determine the password, then decrypts the handshake message sent by the Web browser via a password and verifies that the hash is consistent with the Web browser. The server then encrypts the new handshake message with a password and sends it to the browser;

5. Finally, the browser decrypts and computes a hash algorithm-encrypted handshake message, and if it is consistent with the hash sent by the service, the server and browser will use the random password and symmetric encryption algorithm generated by the browser to encrypt the data after the handshake process is finished.

HTTPS Handshake Process

HTTPS Encryption algorithm

To protect data security, HTTPS uses a number of cryptographic algorithms:

1, symmetric encryption: There are two types of streaming, grouping, encryption and decryption are used the same key.

For example: DES, AES-GCM, chacha20-poly1305 and so on.

2, Asymmetric encryption: encryption using the key and decryption using the key is not the same, respectively known as: Public key, private key, public key and algorithm are public, private key is confidential. Asymmetric encryption algorithm has low performance, but the security is very strong, because of its encryption characteristics, asymmetric encryption algorithm can encrypt the length of the data is also limited.

For example: RSA, DSA, ECDSA, DH, ECDHE and so on.

3, hashing algorithm: To convert any length of information to a shorter fixed-length value, usually its length is much smaller than the information, and the algorithm is irreversible.

For example: MD5, SHA-1, SHA-2, SHA-256 and so on.

4, Digital signature: The signature is in the back of the information plus a section of content (information after the value of the hash), can prove that the information has not been modified. The hash value is usually encrypted (that is, signed) and sent together with the message to ensure that the hash value is not modified.

HTTPS Network access Security Promotion (Community Edition)

In addition to the EFF, Google and other organizations in making HTTPS more secure, but also to pat the cloud has been committed to improve the security of HTTPS.

Today, and Pat Cloud HTTPS has supported a variety of features, interested friends can understand Oh!

Http/2

Read HTTP/2 features in one article

TLS 1.3

Pat Cloud CDN officially supports TLS 1.3 encryption protocol, a key to turn on the fast HTTPS experience

HSTS

From HTTP to HTTPS to HSTS

chacha20-poly1305

Detailed HTTPS Mobile symmetric cryptographic Suite optimization

TLS Record Size

HTTPS Transmission Optimization Detailed dynamic TLS Record Size

From making https safer, talk about HTTPS