The difference between HTTPS and HTTP

       HTTPS (Secure hypertext Transfer Protocol) Secure Hypertext Transfer Protocol It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which simply means that it is a secure version of HTTP. It is developed by Netscape and built into its browser to compress and decompress data and return the results that are sent back on the network. HTTPS actually applies the Netscape secure full Socket Layer (SSL) as a sub-layer of the HTTP application layer. (HTTPS uses ports443Instead of using port-A to communicate with TCP/IP like HTTP. SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. HTTPS and SSL support use of the digital authentication of the number, and if necessary, the user can confirm who the sender is.

The difference between HTTPS and http:

The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee. HTTP is a Hypertext Transfer Protocol, the information is clear-text transmission, HTTPS is a security SSL encryption transport protocol HTTP and HTTPS using a completely different connection mode with the port is not the same, the former is 80, the latter is 443.

HTTP connection is simple, is a stateless HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, authentication network protocol than the HTTP protocol security

HTTPS resolves the issue:

1. The problem of trusting the host. Server with HTTPS must request a certificate from the CA that is used to certify the server's purpose type. The client trusts the secondary host only when the certificate is used for the corresponding server. So at present, all the banking system website, the key part of the application is HTTPS. The client trusts the host by trusting the certificate. In fact, this is inefficient, but banks are more focused on security. The LAN does not require an HTTPS certificate.

2. Disclosure and tampering of data in the course of communication

HTTPS in the general sense is that the server has a certificate.

• A) The main purpose is to ensure that server is the server he claims to be. This is the same as the 1th.

• b) All communication between the server and the client is encrypted. I. Specifically, the client generates a symmetric key that is exchanged through the server's certificate. The handshake process in the general sense. II. All information exchanged is encrypted. A third party, even if intercepted, does not make any sense. Because he doesn't have a key. Of course, there's no point in tampering.

In the case of a small client requirement, the client must also have a certificate.

• A) Here the client certificate, in fact, similar to the personal information, in addition to the user name/password, there is a CA authenticated identity. Should be a personal certificate in general, others cannot emulate, all of which can further confirm their identity.

• b) Currently a small number of personal banking Professional Edition is this practice, the specific certificate may be to take a USB flash drive as a backup carrier. Like I used the Bank of communications online banking is the way to take it. HTTPS must be cumbersome. A) originally a simple HTTP protocol, a get a response. Because HTTPS is required to also encrypt the key and confirm the encryption algorithm. A single handshake requires 6/7 round trips. I. In any application, excessive round trip will definitely affect performance. b) Then the specific HTTP protocol, each response or request, requires the client and the server to encrypt/decrypt the contents of the session. I. Although symmetric encryption/decryption efficiency is high, but still consumes too much CPU, for this there is a dedicated SSL chip. If the CPU signal is low, it will certainly degrade performance, thus not serve more requests.

The HTTPS protocol uses SSL to encrypt the original data in the sender, then decrypt the receiver, the encryption and decryption needs the sender and the receiver by exchanging the common known key, so the transmitted data is not easy to be intercepted and decrypted by the network hacker. However, the encryption and decryption process requires a large amount of overhead on the system, severely reducing the performance of the machine, and the relevant test data indicates that the efficiency of data transfer using the HTTPS protocol is only one-tenth of the HTTP protocol. If for security purposes, all Web applications of a Web site are enabled to encrypt and transmit using the HTTPS protocol, then the performance and efficiency of the site will be greatly reduced, and it is not necessary because generally not all data requires the highest level of security secrecy , so we only need to use the HTTPS protocol for interactive processing involving confidential data, so that we can get the best of both worlds. In short, do not need to use the place of HTTPS, try not to use.

The difference between HTTPS and HTTP