HTTP default works on the TCP protocol 80 port, the user visits the website http://begins with the standard HTTP service, HTTP encapsulates the information is plaintext, through the capture tool can analyze its information content, if this information contains your bank card account number, password, you certainly cannot accept this service, Is there any service that can encrypt these sensitive information? That's https!.
The HTTPS default works on TCP protocol 443 ports, and its workflow is generally as follows:
1) Complete TCP three synchronization handshake
2) Client Authentication Server digital certificate, pass, go to step 3
3) The DH algorithm negotiates the secret key of symmetric encryption algorithm and the key of hash algorithm
4) SSL Secure encrypted tunnel negotiation complete
5) The Web page is transmitted in an encrypted manner, encrypted with a negotiated symmetric encryption algorithm and key, ensuring data confidentiality; Data integrity protection with negotiated hash algorithm to ensure data is not tampered with
If HTTPS is a network banking service, the above SSL security tunnel successfully established will require users to enter account information, account information is transmitted in a secure tunnel, so will not leak! Wang Kaishen
Links: https://www.zhihu.com/question/19577317/answer/103499193
Source: Know
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.
What is HTTPS?
HTTPS, full name Hyper Text Transfer Protocol secure, more than HTTP, a secure, how is this secure? This is provided by TLS (SSL), what is this? I guess you don't want to know. It's probably a library called OpenSSL. Both HTTPS and HTTP belong to the application layer, based on the TCP (and UDP) protocol, but are completely different. TCP uses a port of 443, HTTPS is used by the Quic (it is worth mentioning that Google invented a new protocol, called the port is not based on TCP, the use of ports is also 443, also used to give HTTPS. Google is so cool. In general, HTTPS is similar to HTTP, but is more secure than HTTP.
How is HTTPS doing?
Generally speaking network security concerns three questions, CIA, (confidentiality, integrity, availability). How does HTTPS do in these three ways? HTTPS guarantees that the confidentiality (the content of the page you are viewing, if seen halfway through, will be a garbled mess.) It won't happen. For example, and you use the same wireless network to receive a data packet you sent, open to see, is your password AH card information AH), intergrity (You browse the page is what you want to browse, not by hackers in the middle of the change, the website received the packet is the first one you sent, Will not change your data, make a big news), the last availability almost did not provide (although I personally think it will increase the base dos and other difficulties, but this trivial), but HTTPS also provides another A, authentication ( You are connected to the website you are connected to, and not who is in the middle of forging a website to you, professionally called Man in the Middle Attack). What does HTTPS specifically protect? In short, it protects you from connecting to this site, to the point where you close the page, all the information you send and receive from the site, and even part of the URL is protected. At the same time the DNS querying this step is also protected, will not happen you input www.google.com, actually ran to another website went. (This is also belong to authentication, I am not very sure, the beginning of the wrong one, it should be said that HTTPS protection DNS Spoofing and DNS Cache poisoning and other DNS attacks) so what is not protected? Who are you and what websites do you visit (this is anonymity, who wants to have a bad website but is not known?) You can use a VPN or Tor, and of course you may have to pay the price of money or slow speed. )
How does HTTPS do that?
This is complicated. Interested friends can take a look at this "the first Few Milliseconds of an HTTPS Connection". Let me briefly introduce some of the tools inside. For example, how do you make sure this site is a good site? Good site will have a "good website certificate", that is certification, this certificate is issued by the CA (certificate authority), each link, the site first to find a CA to get a certificate, and then the certificate sent to the customer, to prove their innocence. Perhaps you would ask, in case a bad website is a fake certificate of its own? This involves the RSA public key, the private key encryption. However, Google's HTTPS is a CA of their own company sent, it feels strange. In short, you can basically believe that this is a good site (historically, there have been events such as the intrusion of CAs). This is authentication (should also be a step in securing DNS). Of course you will also need to prove your identity to the website, and then you have to decide how you want to encrypt it. There are many ways to encrypt, like all kinds of AES. The customer tells the website which encryption methods are supported by my browser, and then the site chooses one of them, so the data between you is encrypted. You asked me how to choose? I'm telling you it's random. You ask me is pseudo-random, I do not know, pseudo-random words will have a qd feeling? In short, this is confidentiality. How do you keep your data from being modified? This is to say that the hash,hash algorithm can shorten a long data, in general, different long data into the short data, is not the same. Even if the long data inside only a little change, the short data will be very different (professional terminology called avalanche effect). When the data is transferred, the short data is passed together, and the other person can know if the whole packet has been modified. Of course this requires both parties to know in advance that some of the secrets are not being transmitted. Commonly used hash has MD5 and SHA256, MD5 is relatively unsafe, length extenstion attack and collision are easy. In short, this way, you can know that the halfway data has not been modified. This is integrity.
is https safe enough?
Is this https safe enough at the end? There is no absolute security in the world, first I mentioned that HTTPS itself does not guarantee availability, and others can know you are on this site. At the same time, what HTTPS itself wants to protect is not so reliable. For example, the famous heartbleed,2014 years swept the world. Data show that the first 100 of the site (I do not know how to row), 44 are threatened by Heartbleed, including Yahoo, stackoverflow such sites. Of course, I think the hacker is not black StackOverflow, black out after their own program encountered bugs do not know how to do. Until today, there are some sites do not fix this bug, and some have repaired the site, because there is no timely replacement of private key and other reasons, self-thought safe, in fact, and did not repair a sample. Of course, there are a variety of security risks. For example, referred to RSA encryption, in some cases can be cracked with Wiener attack. Other, such as an intrusion CA, or a direct intrusion into the user's computer (such as using SSH to open the remote root shell, etc.) are very likely.
HTTP VS HTTPS
