Hypertext Transfer Protocol HTTP protocol is used to transfer information between web browser and web server. HTTP protocol sends content in clear text and does not provide any form of data encryption. If an attacker intercepts the connection between web browser and web server Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.
In order to solve this defect of the HTTP protocol, another protocol needs to be used: the secure socket layer hypertext transfer protocol HTTPS. For the security of data transmission, HTTPS adds the SSL protocol to HTTP, and SSL relies on certificates to verify the server. , and encrypt the communication between the browser and the server.
1. Basic concepts of HTTP and HTTPS
HTTP: is the most widely used network protocol on the Internet. It is a client-side and server-side request and response standard (TCP). It is used to transmit hypertext from a WWW server to a local browser. The server is more efficient, resulting in fewer network transfers.
HTTPS: It is a secure HTTP channel. In short, it is a secure version of HTTP, that is, adding an SSL layer to HTTP. The security foundation of HTTPS is SSL, so the detailed content of encryption requires SSL.
The main functions of the HTTPS protocol can be divided into two types: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.
2. What is the difference between HTTP and HTTPS?
The data transmitted by the HTTP protocol is unencrypted, that is, in plain text. Therefore, it is very insecure to use the HTTP protocol to transmit private information. In order to ensure that these private data can be encrypted and transmitted, Netscape designed the SSL (Secure Sockets Layer) protocol for HTTPS was born to encrypt the data transmitted by the HTTP protocol. In short, the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.
The main differences between HTTPS and HTTP are as follows:
1. The https protocol needs to go to the ca to apply for a certificate. Generally, there are few free certificates, so a certain fee is required.
2. http is a hypertext transfer protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transfer protocol.
3. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.
4. The connection of http is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.
3. How HTTPS works
We all know that HTTPS can encrypt information to prevent sensitive information from being obtained by third parties, so many banking websites or e-mails and other services with high security levels will use the HTTPS protocol.
The client has the following steps when using HTTPS to communicate with the Web server, as shown in the figure.
(1) The client uses the https URL to access the web server and requires an SSL connection to be established with the web server.
(2) After the web server receives the client request, it will send a copy of the website's certificate information (the certificate contains the public key) to the client.
(3) The client's browser and the Web server begin to negotiate the security level of the SSL connection, that is, the level of information encryption.
(4) The client's browser establishes a session key according to the security level agreed by both parties, and then encrypts the session key with the website's public key and transmits it to the website.
(5) The Web server decrypts the session key with its own private key.
(6) The Web server uses the session key to encrypt the communication with the client.
Fourth, the advantages of HTTPS
Although HTTPS is not absolutely secure, organizations that master root certificates and organizations that master encryption algorithms can also carry out man-in-the-middle attacks, but HTTPS is still the most secure solution under the current architecture, with the following advantages:
(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;
(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is safer than the http protocol, which can prevent data from being stolen and changed during the transmission process and ensure the integrity of the data.
(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.
(4) Google adjusted its search engine algorithm in August 2014, saying that "a website encrypted with HTTPS will rank higher in search results than an equivalent HTTP website".
5. Disadvantages of HTTPS
Although HTTPS has great advantages, it still has shortcomings:
(1) The handshake phase of the HTTPS protocol is time-consuming, which will prolong the loading time of the page by nearly 50% and increase the power consumption by 10% to 20%;
(2) HTTPS connection caching is not as efficient as HTTP, which will increase data overhead and power consumption, and even existing security measures will be affected as a result;
(3) SSL certificates require money. The more powerful the certificate, the higher the cost. It is not necessary for personal websites and small websites.
(4) SSL certificates usually need to be bound to IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption.
(5) The encryption scope of the HTTPS protocol is also relatively limited, and it hardly plays any role in hacker attacks, denial of service attacks, and server hijacking. Most importantly, the credit chain system of SSL certificates is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are feasible.
6. Switch from http to HTTPS
What if I need to switch my website from http to https?
All links in the page, such as js, css, pictures, etc., need to be changed from http to https. For example: http://www.baidu.com to https://www.baidu.com
BTW, although http is switched to https here, it is recommended to keep http. Therefore, we can make http and https compatibility when switching. The specific implementation method is to remove the http header in the page link, so that the http header and the https header can be automatically matched. For example: Change http://www.baidu.com to //www.baidu.com. Then when the user enters the access page from the http entry, the page is http, if the user enters the access page from the https entry, the page even if the https entry