Article Directory
HTTP protocol
1. The HTTP protocol specifies the format of sending requests and returning responses
2. Request message
The request message is composed of the request method, request URL, protocol version, optional request header fields, and content entity. Note: there is a blank line below the request header field.
3. Response message
The request message is based on the protocol version, HTTP/1.1 indicates the HTTP version corresponding to the server, and the next 200 OK indicates the status code and reason phrase of the request processing result. The next line represents the date and time when the response was created, which is an attribute in the header field. Then there is a blank line. Next is the main content of the response.
4. Features of HTTP protocol
The HTTP protocol is a stateless protocol, that is, the HTTP protocol itself does not have the function of saving previously sent requests or responses. Whenever a new request is sent, a corresponding new response will be generated. This protocol was designed to process a large number of transactions faster, so it is so simple to set up.
5. HTTP method
| method | effect |
|---|---|
| GET | Access to resources |
| POST | The subject of the transmission entity |
| PUT | Transfer files |
| HEAD | Get the message header |
| DELETE | Delete Files |
| OPTIONS | How to ask for support |
| TRACE | Trace path |
| CONNECT | Require a tunneling protocol to connect to the agent |
6. Persistent connection saves communication volume
For example, when using a browser to browse an HTML page containing multiple pictures, when sending a request to access the resources of the HTML page, it will also request other resources contained in the HTML page. Therefore, many unnecessary TCP connection disconnections will occur, which greatly wastes resources.
So persistent connection is very necessary.
Method 1: Persistent connection is to send HTTP requests in a pipelined manner, and multiple requests can be sent concurrently at the same time, without waiting for a response one by one.
Method 2: Use Cookie State Management.
Cookie will notify the client to save the Cookie based on a header field information called Set-Cookie in the response message sent from the server. When the client sends a request to the server next time, the client will automatically add the Cookie value to the request message before sending it out. After the server discovers the cookie sent by the client, it will check which client the connection request is from, and then compare the records on the server to obtain the previous status information.
7. HTTP response status code
| category | Reason phrase | |
|---|---|---|
| 1XX | Informational status code | The received request is being processed |
| 2XX | Success status code | The request is processed normally |
| 3XX | Redirection status code | Additional actions are required to complete the request |
| 4XX | Informational status code | The received request is being processed |
| 5XX | Server error status code | Server processing request error |
Why is HTTPS needed?
1. Disadvantages of HTTP
HTTP has a good side. There must be some shortcomings. Its main shortcomings are:
- The communication uses plain text (not encrypted), and the content may be eavesdropped;
- The identity of the communicating party is not verified, so it is possible to encounter masquerading;
- The integrity of the message cannot be proved, so it may have been tampered with;
- It cannot be determined whether the client to which the response is returned is the one that received the response as it really intended. It may be a disguised client.
- There is no way to tell where the request comes from and who is from it.
In order to effectively prevent these drawbacks, the emergence of the HTTPS protocol is very necessary.
2. HTTP + encryption + authentication + integrity protection = HTTPS
HTTPS communication is often used on the web login page and shopping cart checkout interface. When using HTTPS communication, http:// is no longer used, but https:// is used. And when you use a browser to access the Web server, a lock mark will appear.
(1) HTTPS is HTTP with an SSL shell.
HTTPS is not a new protocol at the application layer, but the HTTP communication interface part is replaced by SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols.
In the past, HTTP communicated directly with TCP. When SSL is used, it becomes HTTP communicates with SSL first, and then communicates with SSL and TCP. SSL is a protocol independent of HTTP, so not only the HTTP protocol, but other protocols such as SMTP and Telnet running at the application layer can be used in conjunction with the SSL protocol.
(2) After the browser is installed, the browser has initialized the certificate issued by the authoritative certification authority, but what is the use of the certificate?
First of all, the problems that need to be solved in the process of data transmission are:
(1) How to ensure that the server is real and not a phishing website?
(2) To solve network transmission, use plaintext transmission. If all the equipment on the road is obtained, there will be information leakage. Phishers get account numbers and passwords, and then obtain illegal income (will visit our real website).
How to solve it? This uses our certificate.
(1) The certificate issued by an authoritative certificate authority is guaranteed not to be a phishing website.
(2) The certificate of the https server is to solve the problem of clear text transmission.
The principle and function of the certificate:
Asymmetric encryption:
you can use a private key/public key for encryption, and use a public key/private key for decryption.
Key: client/server for
encryptionand decryption.Symmetric encryption: use the same key for encryption and decryption (shared key)
The details involved in https:
1. The process of generating the key-the key (encryption and decryption of the real data) How to ensure that the key is truly reliable and not sent by the phishing website-symmetric encryption
2. Use public and private keys to generate Key-asymmetric encryption
When encrypting with a shared key, the key must also be sent to the other party. When the key is forwarded on the Internet, if the communication is monitored, the key may fall into the hands of an attacker, and at the same time, the meaning of encryption will be lost. In addition, we must try to safely keep the received key.
So use the public key encryption of two keys:
Public key encryption uses a pair of asymmetric keys. One is called a private key , and the other is called a public key . The private key cannot be known to anyone, and the public key can be arbitrarily released and anyone can obtain it.
Using public key encryption, the party sending the ciphertext uses the other party's public key for encryption, and after the other party receives the encrypted information, it uses its own private key for decryption. In this way, you don't need to send your own private key, and you don't need to worry about the key being eavesdropped away by others.
HTTPS uses a hybrid encryption method:
public key encryption is more complicated than shared key encryption, so the efficiency of using public encryption when communicating is relatively low. So it is necessary to combine the two. In the key exchange link, the public key encryption method is used, and the subsequent communication establishment uses the shared key encryption method.
But how to prove that the public key itself is genuine?
Therefore, a public key certificate issued by a digital certificate certification authority and its related is provided.
The digital certificate certification authority is in the position of a third-party organization that can be trusted by both the client and the server. First, the operator of the server provides a public key application to the digital certificate certification authority. After the digital certificate certification authority judges the identity of the applicant, it digitally signs the applied public key, and then distributes the public key. Digital signature (equivalent to a seal), and put the public key into the public key certificate and bind it together. Then, the server will send the public key certificate issued by the digital certificate certification authority to the client for public key encryption communication.
Public key certificates can also be called digital certificates or directly called certificates.
After the browser mentioned above is installed, the browser has initialized the certificate issued by the authoritative certificate authority. This is when the browser developer releases the version, the public key of the commonly used certification authority will be implanted in advance. .
