Hypertext Transfer Protocol HTTP protocol is used to transfer information between web browser and web server. HTTP protocol sends content in clear text and does not provide any form of data encryption. If an attacker intercepts the connection between web browser and web server Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.
In order to solve this defect of the HTTP protocol, another protocol needs to be used: the secure socket layer hypertext transfer protocol HTTPS. For the security of data transmission, HTTPS adds the SSL protocol to HTTP, and SSL relies on certificates to verify the server. , and encrypt the communication between the browser and the server.
1. Basic concepts of HTTP and HTTPS
HTTP: is the most widely used network protocol on the Internet. It is a client-side and server-side request and response standard (TCP). It is used to transmit hypertext from a WWW server to a local browser. The server is more efficient, resulting in fewer network transfers.
HTTPS: It is a secure HTTP channel. In short, it is a secure version of HTTP, that is, adding an SSL layer to HTTP. The security foundation of HTTPS is SSL, so the detailed content of encryption requires SSL.
The main functions of the HTTPS protocol can be divided into two types: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.
2. What is the difference between HTTP and HTTPS?
The data transmitted by the HTTP protocol is unencrypted, that is, in plain text. Therefore, it is very insecure to use the HTTP protocol to transmit private information. In order to ensure that these private data can be encrypted and transmitted, Netscape designed the SSL (Secure Sockets Layer) protocol for HTTPS was born to encrypt the data transmitted by the HTTP protocol.
In short, the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.
The main differences between HTTPS and HTTP are as follows:
1. The https protocol needs to go to the ca to apply for a certificate. Generally, there are few free certificates, so a certain fee is required.
2. http is a hypertext transfer protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transfer protocol.
3. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.
4. The connection of http is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.
3. How HTTPS works
We all know that HTTPS can encrypt information to prevent sensitive information from being obtained by third parties, so many banking websites or e-mails and other services with high security levels will use the HTTPS protocol.
1. The client initiates an HTTPS request
This is nothing to say, that is, the user enters an https URL in the browser, and then connects to the 443 port of the server.
2. Server configuration
The server using the HTTPS protocol must have a set of digital certificates, which can be made by yourself or applied to the organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access, while the certificate applied by a trusted company does not. A prompt page will pop up (startssl is a good choice, with a 1-year free service).
This set of certificates is actually a pair of public key and private key. If you don’t understand the public key and private key, you can imagine it as a key and a lock, but you are the only person in the world who has this key. You can lock the lock. Head to others, others can use this lock to lock important things, and then send it to you, because only you have this key, so only you can see the things locked by this lock.
3. Send the certificate
This certificate is actually the public key, but contains a lot of information, such as the certificate authority, expiration time, and so on.
4. Client parsing certificate
This part of the work is done by the client's TLS. First, it will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an exception is found, a warning box will pop up, indicating that there is a problem with the certificate.
If there is no problem with the certificate, then generate a random value, and then encrypt the random value with the certificate, as mentioned above, lock the random value with a lock, so that unless there is a key, you cannot see the locked value content.
5. Transmission of encrypted information
This part transmits the random value encrypted with the certificate. The purpose is to let the server get this random value, and then the communication between the client and the server can be encrypted and decrypted through this random value.
6. Service segment decryption information
After the server decrypts with the private key, it obtains the random value (private key) sent by the client, and then encrypts the content symmetrically through the value. In this way, unless the private key is known, the content cannot be obtained, and both the client and the server know the private key, so as long as the encryption algorithm is strong enough and the private key is complex enough, the data is safe enough.
7. Transmission of encrypted information
This part of the information is the information encrypted by the private key of the service segment and can be restored on the client side.
8. Client decryption information
The client decrypts the information sent from the service segment with the previously generated private key, and thus obtains the decrypted content. Even if the third party monitors the data during the whole process, it is helpless.
6. Advantages of HTTPS
It is precisely because HTTPS is very secure that attackers cannot find a place to start. From the perspective of webmasters, the advantages of HTTPS are as follows:
1. SEO aspects
Google adjusted its search engine algorithm in August 2014, saying that "a site encrypted with HTTPS will rank higher in search results than an equivalent HTTP site".
2. Security
Although HTTPS is not absolutely secure, organizations that master root certificates and organizations that master encryption algorithms can also carry out man-in-the-middle attacks, but HTTPS is still the most secure solution under the current architecture, with the following advantages:
(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;
(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is safer than the http protocol, which can prevent data from being stolen and changed during the transmission process and ensure the integrity of the data.
(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.
7. Disadvantages of HTTPS
Although HTTPS has great advantages, it still has some shortcomings. Specifically, there are the following two points:
1. SEO aspects
According to ACM CoNEXT data, using the HTTPS protocol will prolong the page loading time by nearly 50% and increase the power consumption by 10% to 20%. In addition, the HTTPS protocol will also affect the cache, increase data overhead and power consumption, and even existing security Measures will also be affected and will be affected accordingly.
Moreover, the encryption scope of the HTTPS protocol is relatively limited, and it has little effect in hacker attacks, denial of service attacks, and server hijacking.
Most importantly, the credit chain system of SSL certificates is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are feasible.
2. Economic aspects
(1) SSL certificates need money. The more powerful the certificate, the higher the cost. Personal websites and small websites are not necessary and generally will not be used.
(2) SSL certificates usually need to be bound to IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption (SSL has extensions that can partially solve this problem, but it is troublesome and requires browsers, operation System support, Windows XP does not support this extension, considering the installed base of XP, this feature is almost useless).
(3) HTTPS connection caching is not as efficient as HTTP, and high-traffic websites will not use it unless necessary, and the traffic cost is too high.
(4) HTTPS connection server-side resource consumption is much higher, and supporting websites with a little more visitors requires a larger cost. If all HTTPS is used, the average cost of VPS based on the assumption that most of the computing resources are idle will go up.
(5) The handshake phase of the HTTPS protocol is time-consuming and has a negative impact on the corresponding speed of the website. If it is not necessary, there is no reason to sacrifice the user experience.