Interviewer: Tell me about the difference between https and http
"No time is too important, Hua is no longer Yang"
01 Preface
Because the data transmitted by the http protocol is transmitted in the form of plain text, and the content is not encrypted, this causes an insecure transmission. If there is sensitive information such as bank cards and ID cards in the transmitted data, it is easy to be stolen by others and fraud.
So people came up with a protocol that can be safely transmitted, the https protocol. The protocol can be encrypted before the information is transmitted. After the encryption, the receiver needs to decrypt to get the information, otherwise even if you intercept the transmitted data, it will not help.
02 Difference
So what are the differences between https and http? Is it a new agreement? In fact, https is only established on the basis of http. We know that the http protocol will carry out three TCP handshake before data transmission, and then the data will be transmitted. In fact, https will also perform three handshake operations, but only an SSL / TLS layer is added between the application layer and the transport layer.
First let's take a look at how https is connected?
- First, the client initiates a request to the server, and the server sends a public key to the client after processing.
- The client verifies the public key to see if the public key is valid and expired
- The client verification will generate a random value key, and then use the public key to encrypt and return it to the server
- After decrypting with the private key, the server obtains the random value key of the client
- Use random value key to encrypt data and transmit to client
- The client uses the key value to decrypt the data
- The client gets the real data
From the above figure, we should understand the https handshake phase. In fact, the above is not only the SSL handshake, but also the TCP three-way handshake to establish the connection.
Since https can guarantee secure transmission, do all websites use the https protocol?
In fact, the most critical issue is the certificate issue, used to prove that your website is safe and not dangerous. This requires a third-party trusted authority to issue certificates to the website, just like authorizing you. For example, we will believe in Alipay in China, so we are willing to deposit all the money in Yubao.
Generally speaking, there are few free certificates, many of which have to be charged, and the price is expensive. Only those large companies or e-commerce websites with high security coefficients need to be used, and generally not for personal ones. So to sum up the shortcomings of https:
- Certificate problem, high price
- The handshake phase will consume extra time
- SEO search response is slow
- Encryption range is relatively limited
- If the certificate of the authoritative company is leaked, it is also unsafe
03 Summary
For the encryption process, it is nothing more than an algorithm problem. Use the algorithm to perform an encryption operation on random values. If your algorithm has high strength and complexity, then it is difficult to crack without a decryption method.
The algorithm is not the scope of our consideration, as long as we understand the process well, the front-end engineer does not need to delve into the details. As long as you can tell the above process during the interview, then there is no problem.
Everyone is welcome to pay attention to my WeChat public account "Front End Hours", and articles will be sent synchronously!
