This article is used to understand the principles of http / https, and their configuration and optimization can be found https://www.cnblogs.com/zhjh256/p/6262620.html,https://www.cnblogs.com/zhjh256/ p / 7570772.html.
0, first look at the HTTP packet structure and processes
Many developers every day to deal with the http, but do not know http packets look like, how the kind of structure, it is time to popularize a little longer. HTTP is used for information is referred to as HTTP packets, requester (client) is called an HTTP request message packets; the responder (server) called a response packet, HTTP packets by a plurality of line data is itself text string configuration.
HTTP request structure:
HTTP packets can be divided into the request line, request headers, blank lines, four requests portion of the body. It was also the message into the request headers (Request Line + request header), blank lines, request body. Typically, the previous sections must be, and must not last request body, and the end of each section are used as a blank line to the end flag.
Request line: request method (Method,) + space + Uniform Resource Identifier (the URI) version of the HTTP space + + + CR LF;
Request header: Field name Value + colon + + CR LF;
Blank line: carriage return (CR) + line feed (the LF);
Request body: adding custom user, such as a post body and the like;
Request header examples (Google browser Network panel):
HTTP response message structure:
The only difference between the structure of the request response packet in that packet structure used instead of the first line of status information request message. Status line (status line) by providing a status code to illustrate the requested resources.
The status line: HTTP status code version space + + + + space Status Code Description + CR LF;
Response header: Field name Value + colon + + CR LF;
Blank line: carriage return (CR) + line feed (the LF);
Response body: adding custom user, such as a post body and the like;
In response header examples (Google browser Network panel):
Response status code:
status code sent by the server in response to client requests to the server.
- 1xx (Information): receiving the request, continue processing
- 2xx (Successful): request has been successfully received, understood and accepted
- 3xx (redirection): further measures are necessary to complete the request
- 4xx (client error): The request contains syntax errors or unable to meet
- 5xx (Server Error): The server can not meet the obvious valid request
Please review the status code: HTTPS: //en.wikipedia.org/wiki ...
The "illustrates the Http" a book, HTTP request packet header fields may also be subdivided into a common header field, the entity header field in the request header field, similarly, HTTP response packet header fields may also be subdivided into common header field, the entity header field in response header field
Google browser Newwork panel will only generic header field points out, the rest of the field by the request and response header field header field into two categories, do not subdivide
Details of the HTTP header information can be found https://www.processon.com/view/link/58025201e4b0d6b27dd4c8af#map.
See diagram HTTP.
First, what is HTTPS
HTTPS SSL encryption layer is built on HTTP, and encrypt data is secure version of the HTTP protocol. It is now widely used on the World Wide Web security-sensitive communications, such as transaction payments.
HTTPS main role is to:
(1) to encrypt data, and establish a security channel information, to ensure security during the data transmission;
(2) be true for website authentication server.
We often use HTTPS communication and shopping Web login page billing interface. When using the HTTPS communication, no longer used http://, but the switch https://. In addition, when a browser visits a Web site for HTTPS communication effective, the browser address bar will be a locked mark appears. Display of HTTPS will vary due to different browsers.
Second, why the need HTTPS
There may disguise or identity theft and other security issues in the HTTP protocol. Use HTTPS communication mechanism can effectively prevent these problems, then, we start to understand under
what are the problems of the HTTP protocol:
- Communication using the plaintext (not encrypted), the content may be intercepted
Since HTTP itself does not have an encryption function, can not do so for the entire communications (using HTTP content request and response communication protocol) is encrypted. That is, HTTP packets plaintext (unencrypted refers packet) transmission scheme.
HTTP protocol is expressly defects lead to data leakage, data tampering, traffic hijacking, phishing attacks and other security issues are important reasons. HTTP protocol can not encrypt data, all communication data are clear "streaking" in the network. By sniffing the network equipment and technical means, you can restore the contents of HTTP packets.
- Unable to prove the integrity of the message, it may have been tampered with
The so-called Integrity is the accuracy of the information. If you can not prove its integrity, usually it means you can not judge the accuracy of information. Since the HTTP protocol packets can not prove the integrity of communications, and therefore, after a request or response sent until this period of time before the other party to receive, even if the content of the request or response has been tampered with, there is no way to know.
In other words, there is no way to confirm a request sent / received, and in response to the request / response is the same before and after.
- Does not verify the identity of the communicating parties, it is likely to encounter disguise
HTTP protocol requests and responses do not confirm the communication party. When HTTP communication protocol, since the process step that a communication party does not exist, anyone can initiate a request. In addition, as long as the server receives the request, no matter who the other party will return a response (but IP address and port number is limited to the sender of the premise is not set to restrict access to the Web server)
HTTP protocol can not verify the identity of the communicating parties, anyone can forge fake servers to deceive users, and "phishing", the user can not detect.
In contrast HTTPS protocol, which compared more than the HTTP protocol following advantages (will be detailed below):
- Data privacy: After the contents of symmetric encryption, each connected to generate a unique encryption key
- Data integrity: content transmitted through an integrity check
- Authentication: third party can not be forged server (client) identity
Three, HTTPS HTTP how to solve the above problems?
HTTPS is not a new protocol application layer. HTTP communication interface portion merely substituting only SSL and TLS protocols.
Usually, HTTP and TCP direct communication. When using SSL, the SSL communications and evolved into the first, then the SSL communications and the TCP. In short, the so-called HTTPS, HTTP SSL protocol is actually wearing this layer of the shell.
After using SSL, HTTP will have the HTTPS encryption, certificates, and protect the integrity of these functions. That HTTP plus encryption and authentication and integrity protection after a HTTPS.
The main function of the HTTPS protocol are substantially dependent on the TLS / SSL protocol, TLS / SSL functionality is implemented depends on the three basic algorithms: hash functions, symmetric encryption and asymmetric encryption, which is achieved by using an asymmetric encryption and authentication keys negotiation, a symmetric key encryption algorithm negotiation for data encryption, based on a hash function to verify the integrity information.
1. problem solving content might be bugged - Encryption
A method of symmetric encryption
In this manner with the use of an encryption and decryption key. Encryption and decryption keys will be used. Without the key will not be able to decrypt password, conversely, anyone will be able to hold the key to decrypt the.
The key must be sent to the other party when encrypted symmetric encryption. How can we safely can be transmitted? When the key is forwarded on the Internet, if the communication is key so you can monitor who will hand down the attacker, while also lost encryption meaning. To this is to try to keep the received secure key.
2. The method of asymmetric encryption
Public key encryption using an asymmetric key couple. One called the private key, and the other is called the public key. As the name suggests, the private key can not let anyone else know that, while the public key can be freely released, anyone can get.
Using a public key cryptosystem, the ciphertext transmitted using the other party's public key is encrypted, the encrypted information received by the other, and then using its own private key for decryption. In this way, no need to send the private key to decrypt, but also do not have to worry about keys and stolen by an attacker eavesdropping.
Asymmetric encryption is characterized by many information transmission, the server need only maintain a private key encrypted communication can be performed and a plurality of clients.
This approach has the following disadvantages:
- The public key is public, so for private key encryption, hackers can use the public key to decrypt intercepted acquire its contents;
- Public Key does not contain information about the server, using an asymmetric encryption algorithms can not ensure the legitimacy of the identity of the server, there is a risk of middle attack, the sending server to the client's public key middleman may be intercepted and tampered with during transmission;
- Data encryption using an asymmetric encryption and decryption process consumes a certain time, reducing the efficiency of data transmission;
3. The method of symmetric encryption + asymmetric encryption (HTTPS this way)
The advantage of using symmetric key is decrypted efficiency is relatively fast, the benefits of using asymmetric keys that can make content delivery can not be cracked, because even if you intercepted the data, but there is no corresponding private key, they can not break the content. To say you grab a safe, but there is no safe key can not open the safe. Then we will symmetric encryption and asymmetric encryption combine to make full use of their respective advantages of both, in exchange key aspects of the use of asymmetric encryption, after establishing communications exchange messages using symmetric encryption stage.
Specifically: one ciphertext transmitted using the other's public key to encrypt "symmetric key" and the other with their own private key to decrypt get "symmetric key", which ensures that the key exchange security under the premise of using symmetric encryption for communication. Therefore, HTTPS mixed both encryption and symmetric encryption and asymmetric encryption used.
2. The message may have been tampered with to solve the problem - Digital Signature
Network transmission process need to go through many intermediate nodes, although the data can not be decrypted, but may be tampered with, how to verify the integrity of the data that it? ---- verify digital signatures.
Digital signatures have two effects:
- Can determine if the message is indeed signed by the sender concurrent out, because others can not fake signature of the sender.
- Digital signatures can determine the integrity of the message, to prove whether the data has not been tampered with.
How to generate a digital signature:
The first generating a text message digest Hash function, and then generates a digital signature encrypted with the private sender transmitted to the recipient along with the original text. Then there is the recipient verify the digital signature process.
Digital signature verification process:
Only the recipient of the sender's public key can decrypt the encrypted summary information, and then produce a summary of the information received with the original HASH function, the summary information compared with the previous entry. If so, then the information received is complete and has not been modified in transit, or explanatory information has been modified, the digital signature can verify the integrity of the information.
Assume messaging occurs between Kobe, James two. James sends a message together with the digital signature to Kobe, Kobe after receiving the message, by verifying the digital signature, you can validate the received message is sent by James. Of course, the premise of this process is to know James Kobe's public key. The key question is, and the message itself, the public key can not be sent over an insecure network directly to Kobe, or how to get the public proved to be James's.
At this point it is necessary to introduce the Certificate Authority (Certificate Authority, referred to as CA), the number of CA is not much, Kobe client built a trusted CA certificates of all. CA public key of James (and other information) generated digital certificate was signed.
3. Solve problems communicating party identity may be disguised - Digital Certificate
Certificate authority is in the position of third party client and server sides are reliable. We introduce the business process of certificate authority:
- Server operators to submit the public key to the third party CA, organize information, personal information (domain name) and other information and apply for certification;
- CA through online, offline and other various means to verify the authenticity of information provided by the applicant, such as the existence of the organization, business is legitimate, whether the ownership of the domain name and so on;
- Such as information for approval, CA will issue certification documents to the applicant - certificate. Certificate contains the following information: the public key of the applicant, the applicant's organization and personal information, information agencies issuing CA, the plaintext message valid time, the certificate serial number, etc., and include a signature. Wherein the signature generation algorithm: First, calculate the message digest using a hash function disclosed in the plaintext information, and then, using the CA's private key to encrypt the message digest, i.e., ciphertext signature;
- When a client makes a request to the server Client Server, Server return the certificate file;
- Client Client related to the read plaintext certificate, using the same hash function computed message digest, and then, using the corresponding CA public key decrypted signature data message digest of the certificate contrast, if the same, the certificate can be confirmed legitimacy, namely public key server is trustworthy.
- The client will verify the certificate related to domain name information, valid time information; client built trusted CA certificate information (including the public), if the CA is not trusted, then find the corresponding CA certificate, the certificate will be judged illegal.
Four, HTTPS workflow
1.Client initiate a HTTPS (such as https://juejin.im/user/5a9a9cdcf265da238b7d771c) request, in accordance with the provisions of RFC2818, Client needs to know the connection 443 (default) port Server.
2.Server the pre-configured public key certificate (public key certificate) is returned to the client.
3.Client public key certificate validation: for example, whether within the validity period, the use of the certificate is not matching site Client request, which is not in the revocation list CRL, it's on a certificate is valid, it is a recursive process, until verify the root certificate (root certificate operating system built-in or built-root Client certificate). If the authentication information through the warning to continue, not through the display.
4.Client using pseudo-random number generator generates a symmetric key encryption is used, then the public key encryption symmetric key certificate issued Server.
5.Server his private key (private key) to decrypt the message, to obtain the symmetric key. At this point, Client and Server both hold the same symmetric key.
6.Server using symmetric key encryption "plaintext content A", to a Client.
7.Client response using symmetric key to decrypt ciphertext to obtain a "clear content A".
8.Client HTTPS request initiated again, the use of "clear content B" symmetric key encryption request, Server then uses the symmetric key to decrypt the ciphertext to obtain a "clear content B".
Fifth, the difference between HTTP and HTTPS
- Plain text transfer protocol HTTP, HTTPS protocol is constructed by SSL + HTTP encrypted transmission protocol, authentication of network protocols, security protocols than HTTP.
About Security, described the relationship between the two with the most simple analogy is that truck freight, vans under HTTP is convertible, goods are exposed. The https is a closed container car, security naturally raise a lot.
- HTTPS is more secure than HTTP, search engine friendly, conducive to SEO, Google, Baidu first indexing HTTPS pages;
- SSL certificates need to use HTTPS, HTTP and without;
- Standard HTTPS port 443, HTTP standard port 80;
- Transport Layer HTTPS, HTTP application layer;
- HTTPS green safety lock in the browser, HTTP does not show;
Sixth, why not all of the sites use HTTPS
Since then the HTTPS secure, then why not all Web sites use HTTPS?
First, many people still feel there are barriers HTTPS implementation, the threshold that requires SSL certificate authority CA issues. Select the certificate from purchase to deployment, will be more time-consuming under the traditional model.
Secondly, HTTPS generally considered to be greater than the performance overhead HTTP, as compared to plain text communication with encrypted communication will consume more CPU and memory resources. If each communication encryption, will consume considerable resources, in equal shares to the time on a computer, the number of requests that can be processed must also be reduced. But that is not the case, the user can optimize performance, the certificate deployed in SLB or CDN, to solve this problem. To give an actual example, "double 11" period, full stop HTTPS Taobao, Lynx still guarantee the access to sites and mobile side, browsing, smooth operation of transactions, smooth. Test found that, after many pages optimized performance and HTTP unchanged and even slightly improved, so after optimization through HTTPS does not really slow.
In addition, you want to save the cost of buying a certificate is one of the reasons. To HTTPS communication, the certificate is essential. The certificate must be purchased to use the certification authority (CA).
Finally, safety awareness. Compared to the domestic, foreign security awareness and application of Internet technology is relatively mature industry, HTTPS deployment trend by society, enterprises and government together to push.
Reference: https: //segmentfault.com/a/1190000018992153
https://www.jianshu.com/p/0e1fa5ae6a1e