HTTP (Hypertext Transfer Protocol) is used to transfer messages between web browsers and servers.
The http protocol generates content in clear text and does not provide any method of data encryption. If the attacker intercepts the transmission message between the web browser and the website server, they can directly understand the information. Therefore, the http protocol is not suitable for transmitting some sensitive information, such as: credit card number, password and other payment information
In order to solve the defects of plaintext transmission, another protocol https protocol (Secure Socket Layer Hypertext Transfer Protocol) is required. For data security, HTTPS adds SSL protocol on the basis of HTTP. SSL relies on certificates to verify the identity of the server , Without encryption of the communication between the browser and the server
1. The basic concepts of HTTP and HTTPS
HTTP: It is the most widely used network protocol on the Internet. It is a client and server-side request and response standard (TCP). It is used to transfer hypertext from the WWW server to the local browser. It can enable browsing The device is more efficient and reduces network transmission.
The HTTPS protocol is an HTTP channel with security as the goal, which is the secure version of HTTP, that is, the SSL layer is added under HTTP, and the security foundation of HTTPS is SSL, so the encrypted detailed content requires SSL
The main functions of the HTTPS protocol are divided into two types. One is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website
SSL(secure sockets layer)
2. What is the difference between HTTP and HTTPS?
The data transmitted by the HTTP protocol is unencrypted and transmitted in plain text. It is very insecure to use the HTTP protocol to transmit private information. In the future, these private data are guaranteed to be encrypted and transmitted. So Netscape designed the SSL protocol for the data transmitted by the HTTP protocol. Encrypted, HTTPS was born; in simple terms, the HTTPS protocol is a network protocol built with SSL protocol + HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.
The main differences between HTTP and HTTPS are as follows:
1. The HTTPS protocol needs to apply for a certificate to ca. Generally, there are fewer free certificates, so a certain fee is required.
2. HTTP is a hypertext transmission protocol, information is transmitted in clear text, and HTTPS is a secure SSL encrypted transmission protocol
3. The connection methods used by HTTP and HTTPS are also different, and the ports used are also different. HTTP is port 80, and HTTPS is port 433
4. HTTP connection is relatively simple and stateless; HTTPS protocol is a network protocol built by SSL + HTTP protocol that can be used for encrypted transmission and identity verification.
3. How HTTPS works
HTTPS can be encrypted to prevent sensitive information from being obtained by a third party, so many websites or e-mail services such as higher security level will use HTTPS protocol
The client has the following steps when communicating with the Web server using HTTPS, as shown in the figure
(1) The client uses the URL of HTTPS to access the web server, requesting to establish an SSL connection with the web server
(2) After receiving the client request, the web server will send a copy of the website's certificate information (the certificate contains the public key) to the client
(3) The client's browser and the web server begin to negotiate the security level of the SSL connection, that is, the level of information encryption
(4) The client's browser establishes the session key according to the security level agreed by both parties, and then uses the website's public key to encrypt the session key and send it to the website
(5) The web server uses its own private key to decrypt the session key
(6) The web server uses the session key to encrypt the communication with the client
Four, the advantages of HTTPS
Although HTTPS is not absolutely secure, organizations that have certificate authorities and encryption algorithms can also conduct man-in-the-middle attacks, but HTTPS is still the most secure solution under the current architecture, and has the following benefits:
(1) Use HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct clients and servers
(2) HTTPS protocol is a network protocol built by SSL + HTTP that can perform encrypted transmission and identity authentication. It is safer than http protocol, which prevents data from being stolen or changed during transmission and ensures data integrity.
(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.
(4) Google adjusted the search engine algorithm in August 2014, and said that “sites using HTTPS encryption will rank higher in search results than comparable HTTP sites.”
5. Disadvantages of HTTPS
(1) The handshake phase of the HTTPS protocol is time-consuming, which delays the loading time of the page by nearly 50% and increases the power consumption by 10% to 20%;
(2) HTTPS cache is not as efficient as HTTP, which will increase data overhead and power consumption, and even existing security measures will be affected;
(3) SSL certificates require money. The more powerful the certificate, the higher the fee. Personal websites and small websites are not necessary for general use.
(4) The SSL certificate needs to be bound to an IP, and multiple domain names cannot be bound to the same IP, and ipv4 resources cannot support this consumption
(5) The encryption range of the HTTPS protocol is relatively limited, and it has little effect on hacker attacks, denial of service attacks, server hijacking, etc. Most importantly, the credit chain system of SSL certificates is not secure, especially in the case where some countries can control CA root certificates, man-in-the-middle attacks are equally feasible.
Six, HTTP switch to HTTPS
If you need to switch the website from http to https, how do you implement it?
Here you need to change all links on the page, such as js, css, pictures, etc., from http to https. For example: http://www.yunwzj.com changed to https://www.yunwzj.com
BTW, although switching http to https here, it is recommended to keep http. Therefore, we can make http and https compatible when switching. The specific implementation is to remove the http header in the page link, so that the http header and https header can be automatically matched. For example: change http://www.yunwzj.com to //www.yunwzj.com. Then when the user enters the access page from the http entry, the page is http. If the user enters the access page from the https entry, the page is even https.
B / S: Browser / server application viewed with browser
C / S: client / server needs to install the client application
1. B / S and C / S have their own strengths and are very important calculation structures
2. The B / S architecture requires browser compatibility testing, and it is necessary to consider whether the system meets the requirements in different browsers
3. C / S architecture requires system installation, upgrade and uninstallation, etc., and needs to consider different supported platforms and other issues
4. C / S is generally established on a dedicated network, a small-scale network environment, and links and data exchange services are provided through dedicated servers between LANs
