Home > Developer > Web Develop

Securing Web-Safe HTTPS

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

HTTP has the following major security issues:

1. Communication using plaintext is not encrypted, content may be bugged ; (TCP/IP is a network that may be tapped)

2. Does not verify the identity of the communication party, so it is possible to encounter a disguise (cannot determine whether the request or response is correct, whether it has permissions, whether it makes sense)

3. Failure to prove the integrity of the message, the content may have been tampered with;

Workaround:

1. encryption processing to prevent eavesdropping: encrypted HTTPS for communication (SSL Secure Sockets Layer +http), TSL Security Layer Transport protocol

content Encryption (both the client and server have encryption and decryption mechanisms) but the content is still at risk of being tampered with

2. verify The identity of the communication party: Identify the opponent's certificate, the means of providing the certificate through SSL .

3. Using SSL Integrity Protection to prevent tampering, only using hash value checksums such as MD5 and SHA-1 is not completely secure.

HTTPS = HTTP + encryption + authentication + integrity Protection

HTTPS is not a new protocol for the application layer, except that the HTTP communication interface is partially replaced with an SSL protocol.

Usually HTTP communicates directly with TCP, and when SSL is used, it evolves to http-ssl-tcp.

With SSL, HTTP has the encryption, certificate, and integrity of HTTPS to protect these features.

HTTPS uses both SSL and TLS protocols.

How HTTPS works:

encryption : HTTPS uses a hybrid encryption mechanism that exposes encryption keys and shared encryption keys.

Authentication : HTTPS uses a client authentication certificate.

Integrity : When the application layer sends data in the HTTPS transport process, a message digest called Mac is appended that can be used to check if the message has been tampered with, thus protecting the integrity of the message.

Why not always use HTTPS?

1. Encrypted communication consumes more CPU and memory resources;

2. Purchase the certificate to occupy the cost;

Therefore, according to the needs of the site flexible choice of http or HTTPS.

Securing Web-Safe HTTPS

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More