A must-see for promotion and salary increase! Android learning route guide, successfully won the big factory offer

Preface

The previous article shared a summary of the interview experience of the big guys recently sorted out. If you are interested, you can check it out. The interview experience of this student A who went to Baidu for an interview was very interesting, because he got the offer but did not go. After understanding the reasons, he agreed with his ideas. I think this kind of professional values ​​is very meaningful to many people.

background

We know that http communication has the following problems:

• Communication using plaintext may be eavesdropped
• Failure to verify the identity of the communicating party may encounter masquerading
• Unable to prove the integrity of the message, it may have been tampered with

Using https can solve data security issues, but do you really understand https?

When the interviewer continuously asks you the soul, can you answer it like a stream?

1. What is https and why do you need https
2. https connection process
3. What is the encryption method of https, symmetric encryption and asymmetric encryption, and why is it designed like this? Why use symmetric secrets for content transmission
4. Is https absolutely secure
5. Can https can capture packets

If you can answer freely, congratulations, you have almost mastered https, enough for the interview.

What is https

Simply put, https is http + ssl, which encrypts the content of http communication, is the secure version of HTTP, and is the HTTP protocol encrypted with TLS/SSL

The role of Https:

1. Content encryption establishes an information security channel to ensure the security of data transmission;
2. Identity verification confirms the authenticity of the website
3. Data integrity prevents content from being impersonated or tampered with by third parties

What is SSL

SSL was created by Netscape Corporation in 1994. It aims to create secure Internet communications through the Web. It is a standard protocol used to encrypt the communication between the browser and the server. It allows secure and easy transmission of private information such as account passwords, bank cards, and mobile phone numbers via the Internet.

An SSL certificate is a digital certificate issued by a trusted CA organization that complies with the SSL protocol.

How SSL/TLS works:

Need to understand the working principle of SSL/TLS, we need to master the encryption algorithm. There are two encryption algorithms: symmetric encryption and asymmetric encryption:

Symmetric encryption : Both parties use the same key for encryption. The characteristic is that the encryption speed is fast, but the disadvantage is that the key needs to be protected. If the key is leaked, then the encryption will be pojie by others. Common symmetric encryption has AES and DES algorithms.

Asymmetric encryption : It needs to generate two keys: Public Key and Private Key.

As the name implies, the public key is public and anyone can obtain it, while the private key is kept privately. I believe that most programmers are already familiar with this algorithm: when we submit the code to github, we can use SSH key: generate private and public keys locally, store the private key in the local .ssh directory, and store the public key On the github website, every time you submit the code, you don’t have to enter the user name and password, and github will identify us based on the public key stored on the website.

The public key is responsible for encryption and the private key is responsible for decryption; or, the private key is responsible for encryption and the public key is responsible for decryption. This encryption algorithm is more secure, but the amount of calculation is much larger than that of symmetric encryption, and encryption and decryption are very slow. A common asymmetric algorithm is RSA.

https connection process

The https connection process is roughly divided into two stages, the certificate verification stage and the data transmission stage

Certificate verification phase

Roughly divided into three steps

1. Browser initiates a request
2. After the server receives the request, it will return the certificate, including the public key
3. After the browser receives the certificate, it will check whether the certificate is legal. If it is illegal, an alert will pop up (how to verify the legality, I will analyze it in detail below, and ignore it here)

Data transmission stage

After the certificate is legal

1. The browser will generate a random number,
2. Use the public key to encrypt and send to the server
3. The server receives the value sent by the browser and uses the private key to decrypt it
4. After the analysis is successful, use a symmetric encryption algorithm to encrypt and transmit to the client

After the two parties communicate, the random number generated in the first step is used for encrypted communication.

What is the encryption method of https, symmetric encryption and asymmetric encryption, and why is it designed like this?

From the above we can know that https encryption is a combination of symmetric encryption and asymmetric secrets.

In the certificate verification phase, asymmetric encryption is used. In the data transmission phase, symmetric secrets are used.

This design has an advantage, which can maximize safety and efficiency.

In the certificate verification phase, using asymmetric encryption requires a public key and a private key. If the browser’s public key is leaked, we can still ensure the security of the random number, because the encrypted data can only be decrypted with the private key. In this way, the security of random numbers can be ensured to the greatest extent.

In the content transmission stage, the use of symmetric secrets can greatly improve the efficiency of encryption and decryption.

Why use symmetric secrets for content transmission

1. Symmetric encryption efficiency is relatively high
2. A pair of public and private keys can only realize one-way encryption and decryption. Only the server saves the private key. If an asymmetric secret is used, it is equivalent to that the client must have its own private key. With this design, each client has its own private key. This is obviously unreasonable because the private key needs to be applied for.

Is https absolutely secure

It is not absolutely safe and can be attacked through man-in-the-middle.

What is a man-in-the-middle attack

A man-in-the-middle attack means that the attacker creates independent connections with both ends of the communication and exchanges the data they receive, so that both ends of the communication think that they are talking directly with each other through a private connection, but in fact the entire conversation is Be completely controlled by the attacker.

HTTPS uses the SSL encryption protocol, which is a very secure mechanism. At present, there is no way to directly attack this protocol. Generally, when an SSL connection is established, the client's request is intercepted, and the middleman is used to obtain the CA certificate and asymmetric encryption. The public key for symmetric encryption and the key for symmetric encryption; with these conditions, the request and response can be intercepted and tampered with.

Process principle:

1. Local requests are hijacked (such as DNS hijacking, etc.), and all requests are sent to the middleman's server
2. The middleman server returns the middleman's own certificate
3. The client creates a random number, encrypts the random number with the public key of the middleman certificate, and transmits it to the middleman, and then uses the random number to construct symmetric encryption to encrypt the transmission content.
4. Because the middleman has the client's random number, it can decrypt the content through a symmetric encryption algorithm
5. The intermediary initiates a request to the official website with the request content of the client
6. Because the communication process between the middleman and the server is legal, the official website returns the encrypted data through the established secure channel
7. The middleman uses the symmetric encryption algorithm established with the official website to decrypt the content
8. The middleman encrypts and transmits the data returned by the official content through the symmetric encryption algorithm established with the client
9. The client decrypts the returned result data through the symmetric encryption algorithm established with the middleman

Due to the lack of certificate verification, although the client initiates an HTTPS request, the client does not know that its network has been intercepted, and the transmission content is completely stolen by the middleman.

How does https prevent man-in-the-middle attacks

A certificate is required in https. The function of the certificate is to prevent "man-in-the-middle attacks". If there is an intermediary M that intercepts the client request, then M provides its own public key to the client, and M requests the public key from the server, acting as an "intermediary" so that the client and the server do not know, and the information has been intercepted. Up. At this time, it is necessary to prove that the public key of the server is correct.

How to prove it?

An authoritative third-party organization is needed to be fair. This third-party organization is CA. That is to say, CA is a guarantee company that specializes in certifying and guaranteeing public keys. There are more than 100 well-known CAs in the world. These CAs are recognized globally, such as VeriSign, GlobalSign, etc. The well-known domestic CAs include WoSign.

How does the browser ensure the legitimacy of the CA certificate?

1. What information does the certificate contain?

Issuing agency information, public key, company information, domain name, validity period, fingerprint...

2. What is the basis for the legality of the certificate?

First of all, an authority must have certification. Not just any organization is qualified to issue certificates, otherwise it is not called an authority. In addition, the credibility of the certificate is based on the trust system, and the authority needs to endorse the certificate issued by it. As long as it is a certificate generated by an authority, we consider it legal. Therefore, the authority will review the applicant's information. Different levels of authority have different requirements for review, so the certificates are also divided into free, cheap and expensive.

3. How does the browser verify the validity of the certificate?

When the browser initiates an HTTPS request, the server will return the SSL certificate of the website, and the browser needs to verify the certificate as follows:

1. Verify that the domain name, validity period and other information are correct. This information is included in the certificate, so it is easier to complete the verification;
2. Determine whether the source of the certificate is legal. For each issued certificate, the corresponding root certificate can be found according to the verification chain. The operating system and browser will store the root certificate of the authority locally, and the local root certificate can be used to verify the source of the certificate issued by the corresponding organization;
3. Determine whether the certificate has been tampered with. Need to check with CA server;
4. Determine whether the certificate has been revoked. It is implemented through CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol). OCSP can be used in step 3 to reduce interaction with the CA server and improve verification efficiency.

The browser considers the certificate to be legal only when any of the above steps are met.

Learning welfare

[Android detailed knowledge point mind map (skill tree)]

In fact, there are so many knowledge points in Android development, and there are still a few things to ask in interviews. Therefore, there are no other tricks for the interview, just look at how well you prepare for these knowledge points. So, when you go out for an interview, it is good to see which stage you have reached in your review.

Although Android is not as hot as in previous years, the era of finding high-paying jobs with the four major components has passed. This can only show that the positions below the intermediate level of Android are saturated. Now senior engineers are still relatively lacking . Many senior positions give very high salaries (you may not be able to find a suitable one if you have more money), so I strive to become a senior engineer. is the most important.

Attached here are dozens of sets of ByteDance related to the above-mentioned interview questions, interview questions from JD.com, Xiaomi, Tencent, Toutiao, Ali, Meituan and other companies in 19 years. The technical points are organized into videos and PDFs (in fact, it took a lot of effort than expected), including knowledge + many details.

Due to limited space, I will show you a small part in the form of pictures.

The detailed arrangement can be seen on GitHub;

Android architecture video + BAT interview topic PDF + study notes​

4/Android-P7/blob/master/Android%E5%BC%80%E5%8F%91%E4%B8%8D%E4%BC%9A%E8%BF%99%E4%BA%9B%EF%BC%9F%E5%A6%82%E4%BD%95%E9%9D%A2%E8%AF%95%E6%8B%BF%E9%AB%98%E8%96%AA%EF%BC%81.md)**

There are a lot of materials for learning Android on the Internet, but if the knowledge learned is not structured, and when you encounter problems, you just taste it and don’t study it in depth, then it is difficult to achieve real technological improvement. I hope this systematic technical system can provide you with a direction reference.