The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server, the HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.
In order to solve this flaw of the HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS, in order to secure the data transmission, HTTPS on the basis of HTTP added SSL protocol, SSL relies on certificates to verify the identity of the server, and encrypt the communication between the browser and the server.
I. Basic concepts of HTTP and HTTPS
HTTP: Is the most widely used Internet protocol, is a client and server-side request and response Standard (TCP), used to transfer from the WWW server hypertext to the local browser of the transport protocol, it can make the browser more efficient, so that network transmission reduced.
HTTPS: is a security-targeted HTTP channel, simply speaking is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security base is SSL, so the details of encryption requires SSL.
The main role of HTTPS protocol can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.
Second, what is the difference between HTTP and HTTPS?
The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very unsafe to transmit private information using the HTTP protocol, so that the privacy data can be encrypted for transmission, so Netscape Designs SSL (Secure Sockets Layer) protocol is used to encrypt the data transmitted by the HTTP protocol, resulting in the creation of HTTPS. In simple terms, the HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.
The main differences between HTTPS and HTTP are as follows:
1, the HTTPS protocol requires a certificate to the CA, generally less free certificate, and therefore a certain cost.
2, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.
3, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.
4, the HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.
Third, the working principle of HTTPS
We all know that HTTPS is capable of encrypting information so that sensitive information is not available to third parties, so many security-level services, such as bank websites or e-mail addresses, will use the HTTPS protocol.
The client has several steps to communicate with the Web server using HTTPS.
(1) The client uses HTTPS URL to access the Web server and requires an SSL connection with the Web server.
(2) When a Web server receives a client request, it sends a copy of the Web site's certificate information (the certificate contains the public key) to the client.
(3) The client's browser and the Web server begin to negotiate the security level of the SSL connection, which is the level of information encryption.
(4) The client's browser establishes the session key according to the security level agreed by both parties, then encrypts the session key using the public key of the website and transmits it to the website.
(5) The Web server decrypts the session key using its own private key.
(6) The Web server uses the session key to encrypt communication with the client.
Iv. Advantages of HTTPS
Although HTTPS is not completely secure, the organization that holds the root certificate and the organizations that master the cryptographic algorithms can also attack in the form of an intermediary, but HTTPS is still the safest solution under the current architecture, with the following benefits:
(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;
(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol which can encrypt transmission and authentication, which is more secure than the HTTP protocol, which prevents the data from being stolen, changed and ensured the integrity of the data in the transmission process.
(3) HTTPS is the safest solution under the current architecture, although not completely secure, but it dramatically increases the cost of a man-in-the-middle attack.
(4) Google adjusted the search engine algorithm in August 2014, saying that "sites with HTTPS encryption will be ranked higher in search results than equivalent HTTP sites."
V. Disadvantages of HTTPS
Although it is said that HTTPS has a great advantage, but its relative, there are shortcomings:
(1) The HTTPS protocol handshake phase is time-consuming, will increase the page load times by nearly 50%, increasing the power consumption of 10% to 20%;
(2) HTTPS connection cache is less efficient than HTTP, increasing data overhead and power consumption, and even existing security measures will be affected;
(3) SSL certificate requires money, the more powerful the higher the cost of the certificate, personal website, small site is not necessary generally not used.
(4) SSL certificates usually need to bind IP, not the same IP binding multiple domain names, IPV4 resources can not support this consumption.
(5) HTTPS protocol encryption range is also relatively limited, in the hacker attacks, denial of service attacks, server hijacking and other aspects of almost no role. The most critical, SSL certificate of the credit chain system is not secure, especially if some countries can control the CA root certificate in the case of a man-in-the-middle attack as feasible.
Six, HTTP switch to HTTPS
What if you need to switch your Web site from http to https?
All links in the page, such as js,css, images, and so on, need to be changed from HTTP to HTTPS. For example: http://www.baidu.com change to Https://www.baidu.com
BTW, although HTTP is switched to HTTPS, it is recommended to keep HTTP. So we can do the HTTP and HTTPS compatibility when switching, the implementation is to remove the HTTP header in the page link, which can automatically match the HTTP headers and HTTPS headers. For example: Change http://www.baidu.com to//www.baidu.com. Then when the user enters the access page from the HTTP entry, the page is HTTP, and if the user is accessing the page from the HTTPS portal, the page is even https.
The difference between HTTP and HTTPS