PS: insist is the greatest transcendence.
Recent exchange group was asked HTTPS relevant knowledge, although it will use, but little knowledge, today specifically to summarize some HTTPS-related knowledge, this one is mainly theoretical knowledge, the next write case studies about the practice, the main content as follows:
- HTTP shortcomings
- What is HTTPS
- Public-key encryption technology
- HTTPS encrypted transmission
- Public key certificate
- SSL and TLS
- Why not use HTTPS
HTTP shortcomings
HTTP following disadvantages:
- Using plaintext communication, the transmission contents may be eavesdropping
- Does not authenticate the communication party, a request easily disguised
- Can not guarantee the integrity of the message, you may encounter tampering
What is HTTPS
In simple terms, HTTPS (HTTP Secure) is the addition of HTTP encryption and authentication mechanism of the HTTP protocol basis.
Compared HTTPS is not a new HTTP protocol, except for using the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocol HTTP communication interface section is achieved. HTTP with SSL communication so that the first, then the SSL and TCP communication, instead of HTTP directly communicate with TCP, HTTP and HTTPS illustrated as follows:
Public-key encryption technology
Symmetric key encryption and asymmetric key encryption algorithm encryption algorithm disclosed encryption, confidentiality, encryption and decryption keys are required when the key can not be decrypted without the key, whereas, if the key is intercepted, then encrypted content is likely to be cracked.
- Symmetric key encryption
Such encryption is also known as shared key encryption (Common key crypto system), this approach is to use the same encryption and decryption keys need to be transmitted to the other key to decrypt the communication, key transport the same process may be intercepted, so that secure communication is provided how encryption keys secure transmission, illustrated as follows:
- Asymmetric key encryption
This embodiment has been called public key encryption using an asymmetric key pair is called a public key (public key), one called the private key (private key), where the public key can be freely send private key must be kept secret.
One side sends the ciphertext to use each other's public key to encrypt, the other after receiving the information, using its own private key to decrypt the private key is used in this way do not need to decrypt the transmission, there is no need to worry about private It was intercepted, illustrated as follows:
HTTPS encrypted transmission
As the original TCP communication directly with HTTP, since the working mechanism of TCP / IP protocol suite, such that the communication contents are likely to be eavesdropping on the transmission link, by definition, is able to connect to the Internet worldwide network composed of the communication line communications equipment failure is private, which also makes communication unsafe, thus the birth of HTTPS, then HTTPS is how to encrypt it?
Https mixed encryption mechanisms to ensure the safety if the key exchange, it is possible to use only the full symmetric key encryption for communication, can not be guaranteed if the security key exchange, encryption using an asymmetric key exchange links, after use symmetric encryption. The purpose of this is compared with symmetric-key encryption because asymmetric secret key encryption processing faster.
But it is encrypted security yet, would not have been tapped yet? In fact, even if the communication is encrypted, content or communications technology can be tapped into, but after the encrypted communication is not easy to understand specific message information, the equivalent achieve the purpose of encryption.
HTTPS encryption during transmission to be transmitted public key, the public key is how to ensure it is correct, of course, is a public-key digital certificates issued by certification authorities.
Public key certificate
Here we must mention digital certification body (CA, Certificate Authority) and its associated public key certificate authority, certificate authority is in the position of third party client and server sides are reliable, their specific business processes as follows:
- Server operations personnel to apply public keys to the certificate authority;
- After the certificate authority ascertain the identity of the public key would have applied to do the digital signature and the public key bound into the public key certificate, issued by the server sends this digital certificate authority public key certificate to the client;
- After the client obtains the public key digital certificate issued by the agency, its digital signature verification, first confirm that the public key is issued by the certification body of real numbers, the second is to confirm a trusted public key;
- After confirmation, using the public key encrypted message;
- The server uses the private key to decrypt the message.
Specific business processes as shown below:
The third step, in order to ensure the secure transmission of digital public key certificate authority to the client, most browser developers release the built-in public key version of the browser will be used certification bodies in the browser.
SSL and TLS
HTTPS uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) These two protocols, SSL technology was originally developed by browser maker Netscape Communications Corporation pioneered and developed over the previous version SSL3.0. Currently the initiative has been transferred to the hands of the IETF (Internet Engineering Task Force, Internet Engineering Task Force) is.
IETF to SSL3.0 basis, then developed a TLS1.0, TLS1.1 and TLS1.2. TSL is based on SSL protocol for the development of the prototype, sometimes called the unified protocol SSL. The current mainstream version is SSL3.0 and TLS1.0.
SSL and TLS can actually be understood as TLS is an upgraded version of SSL, TLS-based SSL, but the specific difference between the two is still left to professionals, by the way popular here SSL and TLS the background.
Why not use HTTPS
HTTPS due to the use of SSL (including TLS) become safe and reliable, but due to SSL to encrypt the entire communication process will lead to slower frequent encryption, decryption consumes hardware resources of the server and the client.
SSL communication will lead to not only slow, but also due to the large consumption of resources such as CPU and memory, resulting in slow overall processing speed, and compared to HTTP, the network load can be slow may 2-100 times, as shown below:
If you use HTTPS, it means increasing the cost of hardware, in addition to purchasing a digital certificate from a certification body is required overhead.
And that leads to HTTPS although safe and reliable, but most sites using HTTP or reason.
