Understanding of HTTP, HTTPS, sockets, and the relationship of the three

Source: Internet
Author: User
Tags ack decrypt rfc asymmetric encryption

First, the HTTP protocol detailed

HTTP is an object-oriented protocol belonging to the application layer, which is suitable for distributed hypermedia information System because of its simple and fast way. Currently used in the WWW is the sixth edition of Http/1.0, http/1.1 standardization work is in progress.

HTTP (Hypertext Transfer Protocol) is a request-and-response mode-based, stateless, application-level protocol, often based on TCP connection, HTTP1.1 version of a continuous connection mechanism, the vast majority of web development, is built on the HTTP protocol on the Web application.

The main features of the HTTP protocol can be summarized as follows:

1. Support client/server mode.

2. Simple and fast: When a customer requests a service from the server, it simply transmits the request method and path. The request method commonly has, POST. Each method specifies a different type of contact between the customer and the server. Because the HTTP protocol is simple, the HTTP server's program size is small, so the communication speed is fast.

3. Flexible: HTTP allows the transfer of any type of data object. The type being transmitted is marked by Content-type.

4. No connection: The meaning of no connection is to limit the processing of only one request per connection. When the server finishes processing the customer's request and receives the customer's answer, the connection is disconnected. In this way, the transmission time can be saved.

5. Stateless: The HTTP protocol is a stateless protocol. Stateless means that the protocol has no memory capacity for transactional processing. A lack of state means that if the previous information is required for subsequent processing, it must be re-routed, which may cause the amount of data to be transferred per connection to increase. On the other hand, it responds faster when the server does not need the previous information.

Second, HTTP three-time handshake

TCP (transmission Control Protocol, transmission Protocol) is a connection-based protocol, which means that a reliable connection must be established with each other before the data is formally sent and received. A TCP connection has to go through three "conversations" to build it up, Let's take a look at the simple process of these three conversations: 1. Host A sends a connection request packet to Host B, 2. Host B transmits a consent connection to host A and requires synchronization (synchronization is two hosts one in the sending, one in the receiving, coordination work) packet; 3. Host A then sends a packet to confirm that Host B requires synchronization: " I'll send it now, and you go ahead! ", this is the third dialogue. Three times the purpose of the "conversation" is to synchronize the sending and receiving of packets, and after three "conversations", host a formally sends the data to Host B.

First handshake: The client sends a SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

Second handshake: The server receives the SYN packet, it must confirm the customer's SYN (ACK=J+1), and also send itself a SYN packet (syn=k), that is, the Syn+ack packet, when the server enters the SYN_RECV state;

Third handshake: The client receives the server's Syn+ack packet, sends the acknowledgment packet ack (ACK=K+1) to the server, the packet is sent, the client and the server enter the established state, and the handshake is completed three times.

HTTPS

First, what is HTTPS
Before talking about HTTPS, say what is Http,http is a protocol that we use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very insecure to use the HTTP protocol to transmit private information. To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used for the time being.
Friends who are interested in history can refer to Http://en.wikipedia.org/wiki/Transport_Layer_Security, which has a detailed description of Tls/ssl.


Second, is HTTPS safe?
The answer is yes, it's safe. Google has moved to aggressively promote the use of HTTPS, in the next few weeks, Google will be all the world's local domain name to enable HTTPS, users just log in before the search with Google account, all the search operations will be encrypted using the TLS protocol, see:/http thenextweb.com/google/2012/03/05/google-calls-for-a-more-secure-web-expands-ssl-encryption-to-local-domains/.


Third, the working principle of HTTPS
HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:
1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following tasks:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.
Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:
Asymmetric Encryption algorithm: RSA,DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.
If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information. It is because HTTPS is very safe, attackers can not find the place to start, so more is the use of fake certificates to deceive clients, so as to obtain clear text information, but these methods can be identified, I will be in the subsequent article to tell. But 2010 years, security experts found a vulnerability in the TLS 1.0 protocol: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, In fact, this type of attack, known as Beast, has been discovered by security experts since 2002, but not publicly. The vulnerability has now been fixed by Microsoft and Google. See: http://support.microsoft.com/kb/2643584/en-ushttps://src.chromium.org/viewvc/chrome?view=rev&revision= 90643

Socket

First, the socket is the TCP/IP protocol encapsulation, the socket itself is not a protocol, but a calling interface (API), through the socket, to use the TCP/IP protocol.

Ii. steps to establish a network connection using a socket

Establishing a socket connection requires at least one pair of sockets, one running on the client, called Clientsocket, and the other running on the server side, called ServerSocket.

The connection between sockets is divided into three steps: Server listening, client request, connection acknowledgement.

1. Server monitoring: Server-side sockets do not locate specific client sockets, but are waiting for the status of the connection, real-time monitoring network status, waiting for the client connection request.

2. Client request: Refers to the client's socket to make a connection request, to connect to the target is the server-side socket. To do this, the client's socket must first describe the socket of the server it is connecting to, indicate the address and port number of the server-side socket, and then make a connection request to the server-side socket.

3. Connection confirmation: When a server-side socket hears or receives a connection request from a client socket, it responds to a client socket request, establishes a new thread, sends a description of the server-side socket to the client, and once the client confirms the description, the two sides formally establish the connection. While the server-side socket continues to be in the listening state, it continues to receive connection requests from other client sockets.

Third, socket connection and TCP connection

When you create a socket connection, you can specify the transport layer protocol used, which can support different transport layer protocols (TCP or UDP), which is a TCP connection when a connection is made using the TCP protocol.

Iv. socket connection and HTTP connection

Since the socket connection is usually a TCP connection, once the socket connection is established, the communication parties can start sending data content to each other until the two sides are disconnected. However, in real network applications, the client-to-server communication often needs to traverse multiple intermediary nodes, such as routers, gateways, firewalls, and so on, most firewalls will turn off long inactive connections and cause the Socket connection to be disconnected, so it needs to be polled to tell the network that the connection is active.

Understanding of HTTP, HTTPS, sockets, and the relationship of the three

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.