Overview: HTTPS (full name: HyperText Transfer Protocol over Secure Socket Layer ), is actually not a new HTTPS protocol, Google began very early enabled, the original intention is to ensure data security. The past two years, Google, Baidu, Facebook and other Internet giants such, invariably began vigorously HTTPS, many domestic and foreign large Internet companies also have enabled site-wide HTTPS, which is the trend of the future development of the Internet.
Foreword
HTTPS (full name: HyperText Transfer Protocol over Secure Socket Layer), is actually not a new HTTPS protocol, Google began very early enabled, the original intention is to ensure data security. The past two years, Google, Baidu, Facebook and other Internet giants such, invariably began vigorously HTTPS, many domestic and foreign large Internet companies also have enabled site-wide HTTPS, which is the trend of the future development of the Internet.
To encourage the implementation of HTTPS sites worldwide, some of the Internet companies have put forward their own demands:
1) Google search engine algorithm has been adjusted so that the use of HTTPS sites ranked higher in the search;
2) Starting in 2017, Chrome browser using the HTTP protocol Yiba site marked as unsafe sites;
3) requires that all applications Apple App Store in 2017 must use the HTTPS encrypted connection;
4) The current domestic hot fried very small micro-channel programs are also required to use HTTPS protocol;
5) support a new generation of HTTP / 2 protocol needs to HTTPS-based.
And so on, and therefore presumably in the near future, the whole network HTTPS imperative.
concept
protocol
1, HTTP protocol (HyperText Transfer Protocol, Hypertext Transfer Protocol): is an application layer communication protocol between the client browser and the Web server, or other program.
2, HTTPS protocol (HyperText Transfer Protocol over Secure Socket Layer): can be understood as HTTP + SSL / TLS, SSL layer, i.e. added HTTP, HTTPS security infrastructure is SSL, and therefore requires detailed encrypted SSL, a security HTTP data transmission.
As shown in FIG. HTTPS HTTP multi layer compared SSL / TLS
SSL (Secure Socket Layer, Secure Sockets Layer): 1994 was developed by Netscape, SSL protocol is located between the TCP / IP protocol with a variety of application-layer protocol that provides secure support for data communications.
TLS (Transport Layer Security, Transport Layer Security): its predecessor is SSL, it is the first few releases (SSL 1.0, SSL 2.0, SSL 3.0) developed by Netscape in 1999 from 3.1 began to be standardized and renamed the IETF, development it has been TLS 1.0, TLS 1.1, TLS 1.2 in three versions. SSL3.0 and TLS1.0 because of security vulnerabilities, has rarely been used to. TLS 1.3 changes will be relatively large, it is still in the draft stage, is currently the most widely used TLS 1.1, TLS 1.2.
Encryption Algorithm:
According to records, 400 BC, the ancient Greeks invented a replacement password; during World War II, the German military enabled the "Enigma" cipher machine, so cryptography has a wide range of uses in social development .
1, symmetric encryption
With a flow-type, two kinds of the same group key, encryption and decryption are used.
For example: the DES, the AES-GCM, ChaCha20 Poly1305- like
2, asymmetric encryption
Decryption key and the encryption key used is not the same, are known as: a public key, private key, and public key algorithms are disclosed, the private key is kept secret. Asymmetric encryption algorithms lower performance, but superior safety due to its encryption, asymmetric encryption algorithm can encrypt data length is limited.
Li_ru: With RSA, the DSA, ECDSA, the DH, ECDHE
3. hash algorithm
Converting the information of an arbitrary length of the shorter fixed-length value, which is usually much smaller than the message, and the algorithm is not reversible.
For example: the MD5, the SHA-. 1, the SHA-2, the SHA-256 , etc.
4, the digital signature
Signature is at the back of information together with a piece of content (information after a hash value), it can prove the information has not been modified. usually encrypted hash value (i.e. the signature) and then transmitted together with information, in order to ensure that the hash value is not modified.
Detailed
A, HTTP access process
Ethereal as follows:
As shown above, HTTP request process, without any identification process between the client and the server, all the data transmitted in clear text, "naked" on the Internet, so it is vulnerable to hackers, as follows:
You can see, the request sent by the client can be easily intercepted by hackers, if this time the hacker posing as a server, it can return any information to the client without the client being aware, we often hear the word "hijack" phenomenon as follows:
The following two figures, fill the browser is the same URL, the left is the right response, and the right response after being hijacked.
So the risk faced by HTTP transport are:
(1) eavesdropping risks: Hackers can learn communications.
(2) the risk of tampering: Hackers can modify the contents of the communication.
(3) posing risks: Hackers can impersonate the identity of another person involved in the communication.
Two, HTTP to HTTPS evolution process
The first step: To prevent the occurrence of these phenomena, people think of a way: encrypted transmission of information (even if a hacker intercepts, can not crack)
Shown, this embodiment belonging to the above FIG symmetric encryption, both have the same key, secure transmission of the information obtained, but the disadvantage of this approach are:
(1) different client, a large number of servers, so both sides need to maintain a large number of key, high maintenance costs
(2) because each client, different security level of the server, the key can easily leak
Step two: since when using symmetric encryption, key maintenance so complicated, then we try to use asymmetric encryption
As shown above, the client encrypted with the public, using the private key of the content server decrypts the requested content, and vice versa, but the above-described process is also a disadvantage:
(1) The public key is (that is, hackers will have a public key), so the first step ④ private key encryption of information, if intercepted by hackers, it can use the public key to decrypt the contents of the acquisition
The third step: Since asymmetric encryption is also flawed, then we will symmetric encryption, asymmetric encryption to combine the two, its essence, to its dregs, to play their respective advantages of both
As shown in FIG
(1) step ③, said client subsequent :( we answer symmetric encryption, this is the symmetric encryption algorithm and a symmetric key) encrypted with the public key of this passage, and then passed to the server
(2) When the server receives the information, decrypt the private key, to extract the symmetric key and the symmetric encryption algorithm, said server :( good) symmetric key encryption
(3) transfer information between subsequent two symmetric encryption can be used in a manner
Problems encountered:
How to (1) obtain the public key client
(2) How to confirm that the server is real and not a hacker
Step Four: Get the public key and confirm the identity of the server
1, obtain the public key
(1) provide an address to download the public key, before answer so that the client to download. (Disadvantages: Download likely to be false; each time the client will go to the public before downloading answer is too much)
(2) answer at the beginning of the server public key to the client (drawback: the hacker posing as a server, false sent to the client's public key)
2, there is wood there a way that both can safely obtain the public key, but also to prevent hackers pretend to do? It would need to use the ultimate weapon: SSL Certificates
As shown above, step ② the server sends to the client an SSL certificate, SSL certificate details are included:
(1) certificate issuing authority CA
Valid (2) certificates
(3) Public Key
(4) the certificate owner
(5) Signature
………
3, when the client receives the server certificate sent by SSL, certificate of authenticity will be verified to the browser as an example as follows:
(1) First, the browser reads the certificate of the certificate owner, expiration date information one by one check
(2) Find your browser in the operating system has built-in certificate issuing authority trusted CA, the server certificate sent by the issuer CA alignment, calibration certificate is issued for a legitimate institution
(3) If you do not, the browser will be incorrect report, indicating sent from the server certificate can not be trusted.
(4) If found, then the browser will remove the issuer CA's public key from the operating system, and then there's the signature certificate sent from the server to decrypt
(5) the browser uses the same hash algorithm to calculate the certificate sent from the server hash value, this hash value with the calculated signature certificate do comparison
(6) Comparison results are consistent, then sent from the server certificate to prove legitimate, not posing
(7) At this time, the browser can read the public key certificate, encrypted for subsequent
4, so the form is sent by SSL certificate, which addresses the issue of access to the public key, but also solve the problem of hackers posing, kill two birds with one stone, HTTPS encryption process also formed thereon
So compared to HTTP, HTTPS transport safer
(1) dissemination of all information is encrypted, hackers can not eavesdrop.
(2) has a checking mechanism, if it is tampered with, the two sides will immediately find communication.
(3) with a certificate of identity, prevent identity impersonate.
to sum up
In summary, compared to the HTTP protocol, HTTPS protocol adds a lot of shaking hands, encryption and decryption process, although the process is complex, but it can guarantee the security of data transmission. So in this era of Internet expansion, which hides all kinds of invisible crisis, in order to ensure data security, maintenance of network stability, we recommend a lot of promotion HTTPS.
HTTPS Disadvantages:
(1) high cost SSL certificates and deploy it on the server, update maintenance is very cumbersome
(2) HTTPS reduces user access speed (several times handshake)
(3) After the website use HTTPS, the HTTP to HTTPS jump way to increase user access to time-consuming (the majority of sites using 302 jumps)
(4) HTTPS security algorithms involved will consume CPU resources, need to add a large number of machines (https encryption and decryption process requires access)
