Difference between http and HTTPS

A digital certificate is a public key certified by a CA, and a private key is generally generated locally by the certificate holder, and the certificate holder is responsible for keeping it. In specific use, the signature operation is that the sender signs with the private key, and the receiver uses the sender's certificate to verify the signature; the encryption operation is to encrypt with the receiver's certificate, and the receiver decrypts with his own private key.

1) What is the difference between HTTP and HTTPS

The data transmitted by the HTTP protocol is unencrypted, that is, in plain text. Therefore, it is very insecure to use the HTTP protocol to transmit private information. In order to ensure that these private data can be encrypted and transmitted, Netscape designed the SSL (Secure Sockets Layer) protocol for HTTPS was born to encrypt the data transmitted by the HTTP protocol.

In short, the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.

The main differences between HTTPS and HTTP are as follows:

1. The https protocol needs to go to the ca to apply for a certificate. Generally, there are few free certificates, so a certain fee is required.

2. http is a hypertext transfer protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transfer protocol.

3. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.

4. The connection of http is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.

2) How HTTPS works

We all know that HTTPS can encrypt information to prevent sensitive information from being obtained by third parties, so many banking websites or e-mails and other services with high security levels will use the HTTPS protocol.

1. The client initiates an HTTPS request

This is nothing to say, that is, the user enters an https URL in the browser, and then connects to the 443 port of the server.

2. Server configuration

The server using the HTTPS protocol must have a set of digital certificates, which can be made by yourself or applied to the organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access, while the certificate applied by a trusted company does not. A prompt page will pop up.

This set of digital certificates is the public key certified by the CA, and the private key is generally generated locally by the certificate holder, and the certificate holder is responsible for keeping it. If you don't understand the public key and private key, you can imagine it as a key and a lock, but you are the only one in the world who has this key, you can give the lock to others, and others can use this lock to lock important things Lock it and send it to you, because only you have the key, so only you can see what's locked by this lock.

3. Send the certificate

This certificate is actually the public key, but contains a lot of information, such as the certificate authority, expiration time, and so on.

4. Client parsing certificate

This part of the work is done by the client's TLS. First, it will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an exception is found, a warning box will pop up, indicating that there is a problem with the certificate.

If there is no problem with the certificate, then generate a random value (private key), and then encrypt the random value with the certificate (public key), as mentioned above, lock the random value with a lock, so that unless there is a key, Otherwise, you will not be able to see the locked content.

5. Transmission of encrypted information

This part transmits the random value (private key) encrypted with the certificate. The purpose is to let the server get this random value, and then the communication between the client and the server can be encrypted and decrypted through this random value.

6. Service segment decryption information

After the server decrypts with the private key, it obtains the random value (private key) sent by the client, and then encrypts the content symmetrically through the value. In this way, unless the private key is known, the content cannot be obtained, and both the client and the server know the private key, so as long as the encryption algorithm is strong enough and the private key is complex enough, the data is safe enough.

7. Transmission of encrypted information

This part of the information is the information encrypted by the private key of the service segment and can be restored on the client side.

8. Client decryption information

The client decrypts the information sent from the service segment with the previously generated private key, and thus obtains the decrypted content. Even if the third party monitors the data during the whole process, it is helpless.

3) Advantages of HTTPS

1. SEO aspects

Google adjusted its search engine algorithm in August 2014, saying that "a site encrypted with HTTPS will rank higher in search results than an equivalent HTTP site".

2. Security

Although HTTPS is not absolutely secure, organizations that master root certificates and organizations that master encryption algorithms can also carry out man-in-the-middle attacks, but HTTPS is still the most secure solution under the current architecture, with the following advantages:

(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;

 

(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is safer than the http protocol, which can prevent data from being stolen and changed during the transmission process and ensure the integrity of the data.

(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.

4) Disadvantages of HTTPS

1. SEO aspects

According to ACM CoNEXT data, using the HTTPS protocol will prolong the page loading time by nearly 50% and increase the power consumption by 10% to 20%. In addition, the HTTPS protocol will also affect the cache, increase data overhead and power consumption, and even existing security Measures will also be affected and will be affected accordingly.

Moreover, the encryption scope of the HTTPS protocol is relatively limited, and it has little effect in hacker attacks, denial of service attacks, and server hijacking.

Most importantly, the credit chain system of SSL certificates is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are feasible.

2. Economic aspects

(1) SSL certificates need money. The more powerful the certificate, the higher the cost. Personal websites and small websites are not necessary and generally will not be used.

(2) SSL certificates usually need to be bound to IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption

(3) HTTPS connection caching is not as efficient as HTTP, and high-traffic websites will not use it unless necessary, and the traffic cost is too high.

(4) HTTPS connection server-side resource consumption is much higher, and supporting websites with a little more visitors requires a larger cost. If all HTTPS is used, the average cost of VPS based on the assumption that most of the computing resources are idle will go up.

(5) The handshake phase of the HTTPS protocol is time-consuming and has a negative impact on the corresponding speed of the website. If it is not necessary, there is no reason to sacrifice the user experience.


Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324487829&siteId=291194637