table of Contents
How to ensure that https is more secure?
Symmetric encryption + asymmetric encryption (HTTPS uses this method)
Solve the problem that messages may be tampered with-digital signature
So how to ensure that the public key is correct and has not been tampered with?
The difference between https and http:
Why not all websites use HTTPS
https is more secure, how is it secure? In this article, we will understand the following points
- What is the problem with HTTP communication
- How does HTTPS improve HTTP? Those problems
- How does HTTPS work?
What is HTTPS
HTTPS is to establish an SSL encryption layer on HTTP and encrypt the transmitted data. It is a secure version of the HTTP protocol.
Why you need HTTPS
- The communication uses plain text (not encrypted), the content may be eavesdropped
- Unable to prove the integrity of the message, so it may be tampered with
- The identity of the communicating party is not verified, so it is possible to encounter masquerading
The HTTPS protocol has the following advantages over the HTTP protocol (described in detail below):
- Data privacy: The content is symmetrically encrypted, and each connection generates a unique encryption key
- Data integrity: content transmission is integrity checked
- Identity authentication: the third party cannot forge the identity of the server (client)
How to ensure that https is more secure?
Usually, HTTP communicates directly with TCP. When SSL is used, it evolves to communicate with SSL first, and then communicate with SSL and TCP. In short, the so-called HTTPS is actually HTTP in the shell of the SSL protocol.
The function realization of TLS/SSL mainly relies on three types of basic algorithms: hash function, symmetric encryption and asymmetric encryption. It uses asymmetric encryption to achieve identity authentication and key negotiation. The symmetric encryption algorithm uses negotiated keys to encrypt data. Verify the integrity of the information based on the hash function.
Symmetric encryption + asymmetric encryption (HTTPS uses this method)
The specific method is: the party sending the ciphertext uses the other party's public key to encrypt the "symmetric key", and then the other party uses its own private key to decrypt the "symmetric key", which can ensure that the exchanged key is safe Under the premise of, use symmetric encryption for communication. Therefore, HTTPS uses a hybrid encryption mechanism that uses both symmetric encryption and asymmetric encryption.
Solve the problem that messages may be tampered with-digital signature
There are many intermediate nodes in the network transmission process. Although the data cannot be decrypted, it may be tampered with. How to verify the integrity of the data? ----Verify the digital signature.
Digital signature has two functions:
- It can be determined that the message is indeed signed and sent by the sender, because others cannot fake the sender's signature.
- The digital signature can confirm the integrity of the message and prove whether the data has not been tampered with.
A piece of text is first generated by the Hash function to generate a message digest, then encrypted with the sender's private key to generate a digital signature, and transmitted to the receiver together with the original text. The next step is the process for the receiver to verify the digital signature.
So how to ensure that the public key is correct and has not been tampered with?
It is necessary to introduce a certificate authority (Certificate Authority, CA for short) CA to digitally sign the public key (and other information) of the service party to generate a certificate.
The client receiving the certificate can use the public key of the digital certificate certification authority to verify the digital signature on that certificate. Once the verification is passed, the client can clarify two things:
1. The public key of the authentication server is a real and effective digital certificate certification authority.
2. The public key of the server is trustworthy.
1. The Client initiates an HTTPS (such as https://juejin.im/user/5a9a9cdcf265da238b7d771c) request. According to RFC2818, the Client knows the 443 (default) port that needs to connect to the Server.
2. The server returns the pre-configured public key certificate to the client.
3. The client verifies the public key certificate: for example, whether it is within the validity period, whether the purpose of the certificate matches the site requested by the client, whether it is in the CRL revocation list, and whether its upper-level certificate is valid. This is a recursive process until Verify the root certificate (the built-in Root certificate of the operating system or the built-in Root certificate of the Client). If the verification is passed, it will continue, and if it fails, a warning message will be displayed.
4. The client uses a pseudo-random number generator to generate the symmetric key used for encryption, then encrypts the symmetric key with the public key of the certificate and sends it to the server.
5. The server uses its own private key to decrypt the message and obtain the symmetric key. So far, both the Client and Server have the same symmetric key.
6. The server uses the symmetric key to encrypt the "plaintext content A" and sends it to the client.
7. The Client uses the symmetric key to decrypt the ciphertext of the response, and obtains "plaintext content A".
8. The Client initiates an HTTPS request again, uses the symmetric key to encrypt the requested "plaintext content B", and then the Server uses the symmetric key to decrypt the ciphertext to obtain the "plaintext content B".
The difference between https and http:
- HTTPS is more secure than HTTP, is more friendly to search engines, and is conducive to SEO. Google and Baidu give priority to indexing HTTPS web pages;
- HTTPS requires an SSL certificate, but HTTP does not;
- HTTPS standard port 443, HTTP standard port 80;
- HTTPS is based on the transport layer and HTTP is based on the application layer;
- HTTPS displays a green security lock in the browser, but HTTP does not display;
Why not all websites use HTTPS
Since HTTPS is so safe and reliable, why not all Web sites use HTTPS?
First of all, many people still think that there is a threshold for HTTPS implementation. This threshold is that an SSL certificate issued by an authoritative CA is required. From certificate selection, purchase to deployment, the traditional model will be time-consuming and labor-intensive.
Secondly, HTTPS generally believes that the performance consumption is greater than HTTP, because encrypted communication consumes more CPU and memory resources compared with plain text communication. If every communication is encrypted, it will consume a lot of resources, and the number of requests that can be processed will inevitably be reduced when shared on one computer. But this is not the case. Users can solve this problem by optimizing performance and deploying certificates in SLB or CDN. To give a practical example, during the "Double Eleven" period, Taobao and Tmall of HTTPS on the whole site still ensure the smooth and smooth operation of website and mobile terminal access, browsing, and transactions. Through testing, it is found that the performance of many optimized pages is the same as HTTP and even slightly improved, so HTTPS is actually not slow after optimization.
In addition, one of the reasons is to save the cost of purchasing certificates. For HTTPS communication, a certificate is essential. The certificate used must be purchased from a certification authority (CA).
Finally, there is security awareness. Compared with domestic and foreign Internet industries, the security awareness and technology application are relatively mature, and the HTTPS deployment trend is jointly promoted by society, enterprises, and governments.