HTTP Basics (vii)
Vii. Securing Web-Safe HTTPS
1, the disadvantage of HTTP (1) communication using plaintext (not encrypted), content may be bugged because of the work of the TCP/IP protocol family, the communication content on all communication lines may be subject to peep. Even if the communication is already over encrypted, it will be peered into the communication, which is the same as unencrypted communication. (The contents of the request and response of the HTTP protocol can be obtained and resolved by using the Capture tool): 1) The encrypted HTTP protocol of the communication can be passed through and SSL (Secure Socket layer, Secure Sockets layers) or TLS (Transport layer Security, secure Layer transport Protocol), which encrypts the communication content of HTTP. The HTTP used in combination with SSL, known as HTTPS (HTTP secure, Hypertext Transport Security Protocol) or HTTP over SSL2, encrypts the content contained in the HTTP message. In order to achieve effective content encryption, and requires both the client and the server have encryption and decryption mechanism. (2) does not verify the identity of the communication party, so it is possible to encounter spoofing in the HTTP protocol communication, because there is no process step to confirm the communication party, anyone can initiate the request. Hidden trouble: 1) Unable to determine whether the Web server that sent the request to the destination is returning the server with the true intent. It is possible that a Web server has been spoofed. 2) It is not possible to determine whether the client returned by the response is the client that received the response in real intention. It is possible that the client has been spoofed. 3) Unable to determine whether the other person in the communication has access rights. Because some servers have important information to work on, they only want to be given permission to communicate with specific users. 4) Unable to determine where the request came from and by whom 5) even a meaningless request will be accepted as a single. Dos attacks (denial of service, denial-of-service attacks) are prevented from being blocked by massive requests: identify the other person's certificate using SSL can determine the communication party, not only provide encryption processing, but also use a means known as a certificate can be used to identify the party. Certificates are issued by trusted third-party organizations to prove that the server and client are actually present. The client holds the certificate to complete the identification of the individual and can also be used to authenticate the Web site. (3) cannot prove the integrity of the message, so it may have been tampered with because the HTTP protocol cannot prove the message integrity of the communication, there is no way to know if the content of the request or response has been tampered with since the request or response was sent out until the other party received it. (There is no way to confirm that the request/response was made and that the request/response received was the same.) A request or response is a man-in-the-middle attack by an attacker intercepting and tampering with content in transit (Man-in-the-middle AttaCK,MITM) Measures: Commonly used is the method of hash value checksum such as MD5 and SHA-1, and the method of digital signature used to confirm the file. Web sites that provide file download services also provide a response to the digital signatures created by PGP (Pretty good Privacy, perfect privacy) and the hash values generated by the MD5 algorithm. But PGP and MD5 itself to rewrite words, the user is no way to realize.
2, http+ encryption + authentication + integrity Protection =https When using HTTPS communication, use https://, which is the HTTP that is draped over the SSL shell. With SSL, HTTP communicates with SSL first, and then by SSL and TCP. SSL is an HTTP-independent protocol, and many protocols running on the application layer can be used in conjunction with the SSL protocol, which is the most widely used network security technology in the world today. (1) Public key encryption technology for exchanging keys SSL uses a cryptographic processing method called Public key encryption (Public-key crytography). That is, encryption and decryption will use the key, no key can not decrypt the password. The way to encrypt and decrypt the same key is called a shared key, also known as symmetric key encryption. However, this method of sharing the key must send the key to the other party, if the communication is listening can fall into the hands of the attacker, lost the meaning of encryption. The public key approach solves the difficulty of sharing key encryption well. It uses a pair of asymmetric keys, one is the private key and the other is the public key. Public key encryption, private key decryption, the process without sending a private key, will not be stolen away. HTTPS uses a hybrid encryption mechanism with both shared key encryption and public key encryption. (2) Certificate public key encryption method proving public key correctness cannot prove itself to be a genuine public key. This issue is not resolved and can be used by a public key certificate issued by a digital certificate Authority (ca,certificate authority) and its related authorities. The business process of the digital Certificate Authority: 1) The server operator makes an application for public key to the institution, 2) the organization is identified as the applicant, and 3) the institution makes a digital signature of the public key of the application, When the public key is placed in a public key certificate, one of the functions of the certificate is to prove the specification of the server as the communication party, and the other role is to confirm whether the enterprise behind the other server is real. The certificate that owns this feature is the EV SSL certificate (3) HTTPS secure communication mechanism HTTPS communication step: 1) The client begins the SSL communication by sending a customer hello message. The message contains the specified version of SSL supported by the client, a list of cryptographic components (the encryption algorithm used and the length of the key) 2) when the server is capable of SSL communication, it responds with the server Hello message. As with the client, the SSL version and the cryptographic components are included in the message. The contents of the encrypted component of the server are filtered from within the received client encryption component. 3) After the server sends the certificate message. The message contains a public key certificate. 4) The last server sends the server Hello done message to notify the client that the initial phase of the SSL Handshake Negotiation Section ends. 5) After SSL first handshake ends, the clientClient Key Exchange messages as a response. The message contains a random cipher string called Pre-master secret used in communication encryption. The message has been encrypted with the public key in step 3. 6) The client then continues to send the change Cipher spec message. The message will prompt the server and the communication after this message will be encrypted with the Pre-master secret key. 7) The client sends the finished message. The message contains the overall test value of all messages connected to date. Whether the handshake negotiation can be successful, the server can correctly decrypt the message as a criterion. 8) The server also sends the change Cipher spec message. 9) The server also sends finished messages. 10) After the finished message exchange between the server and the client is complete, the SSL connection is established. Of course, communication is protected by SSL. This is where the application layer protocol communication begins, sending an HTTP request. 11) Apply layer protocol communication, that is, send HTTP response. 12) finally disconnected by customer's Dayton. When disconnecting, send a close_notify message. This step then sends a TCP fin message to close the communication with TCP. Add a message digest called MAC (message authentication Code) when the application layer sends data. To protect the integrity of the message if the error message is tampered with. However, when you use SSL, the processing speed slows down. One is slow communication, one is due to a large number of CPU and memory consumption and other resources resulting in slow processing. Therefore, not all Web sites do not always use HTTPS, access to a large number of sites in the encryption process will bear a lot of load. And the certificate used by HTTPS must be purchased from the certifying authority, which is also a factor to be considered by the website.
HTTP Basics (vii)
