HTTP (Hypertext Transfer Protocol) is the most widely used Internet protocol, along with the strengthening of people's awareness of network security, HTTPS is increasingly being adopted. Whether visit some of the shopping site, or log on some of the blog, forums, etc., we are protected by HTTPS, and even Google Chrome, Firefox and other mainstream browsers have all HTTP-based sites are marked as unsafe.
Why HTTPS than HTTP security? Before answering this question, we first have to understand what HTTP and HTTPS Yes.
HTTP and HTTPS access process
So far the development of the Internet, HTTP has served the Internet standard protocol for transmitting information. Information can be transferred between the Internet within the computer documents, files, images, videos and so on.
HTTP request process, not between the client and the server process any identification of all the data transmitted in the clear, "streaking" on the Internet, so it is vulnerable to hackers.
You can see from the figure above, the request sent by the client can be easily intercepted by hackers, if this time the hacker posing as a server, it can return any information to the client without the client being aware of, so we often hear a The word "hijacking."
And HTTPS is HTTP with SSL fact (HTTP + SSL = HTTPS). When you see HTTPS in the address bar of your browser, which means that all communications are encrypted with the site, access to the whole process more secure.
Why HTTPS than HTTP security
HTTPS security is often reflected in three aspects:
Server authentication, authenticated by the server, the user can clear it currently is communicating with the corresponding server.
Data confidentiality, the other party can not understand the data content sent, because the data submitted is encrypted.
Data integrity, the transmission carries Message Authentication Code (MAC) for authentication, so data transfer is not changed by the other.
Comparison Example to be lower. An HTTP request, which is composed of a plurality of lines of text to follow the HTTP protocol, for example, the following GET request:
GET /helloupyun.txt HTTP/1.1
User-Agent: curl/7.73.0 libcurl/7.73.0 OpenSSL/1.1.l zlib/1.2.11
Host: www.upyun.com
Accept-Language: en
请求会以明文的形式直接发送,既然是明文的形式,对于协议命令和语法有基本了解的人,只要监控了请求发送的过程,就能获取并读懂请求的意义。因此用 HTTP 的方式发送密码一类的数据时,安全性极低。
相对的,HTTPS 使用了 SSL(或 TLS)来加密 HTTP 请求和响应,因此在上面的示例中,监控请求的人将会看到一串随机的数字,而不是可读性的文本。
GsERHg9YDMpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVAWII6+T4MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSe4iaWKCOHH==
其中加密过程采用的 SSL(安全套接字层)这一标准的安全技术,涵盖了非对称密钥和对称密钥。
对称加密
对称加密是指加密与解密使用同一个密钥的加密算法。
目前常见的加密算法有:DES、AES、IDEA 等
非对称加密
非对称加密使用的是两个密钥,公钥与私钥,我们会使用公钥对网站账号密码等数据进行加密,再用私钥对数据进行解密。这个公钥会发给查看网站的所有人,而私钥是只有网站服务器自己拥有的。
目前常见非对称加密算法:RSA,DSA,DH 等。
而常用的套件,例如 ChaCha20-Poly1305 加密套件就使用了这两种算法,其中 Chacha20 是指对称加密算法,而Poly1305 是指身份认证算法。
参考 RFC 文档,我们可以了解 ChaCha20 提供了 256 位的加密强度,这作为对称加密算法来保障 HTTPS 安全性是足够了。
而 Poly1305 作为身份认证算法提供身份验证,可以防止攻击者在 TLS 握手过程中,将虚假信息插入到安全的数据流中,Poly1305 算法提供了大约 100 位的安全性加密强度,足以阻止这类攻击。
总的来看,HTTPS 相比 HTTP ,它作为一种加密手段不仅加密了数据,还给了网站一张安全可信赖的身份证。
聊聊 HTTPS 的一些优缺点
整体来看 HTTPS 有以下五个优点:
最大限度地提高 Web 上数据和事务的安全性;
加密用户敏感或者机密信息;
提高搜索引擎中的排名
避免在浏览器中出现“不安全”的提示;
提升用户对网站的信赖。
相对的,缺点也是必不可少的:
HTTPS 协议在握手阶段耗时相对较大,会影响页面整体加载速度;
在浏览器和服务器上会更多的 CPU 周期来加密/解密数据;
SSL 证书一般都需要支付一定费用来获取,并且费用往往不低;
并不是绝对意义上的安全,在网站遭受攻击,服务器被劫持时,HTTPS 基本起不到任何安全防护作用。
将 HTTP 升级成 HTTPS
如何将网站从 HTTP 升级成 HTTPS 呢?相比起常规的升级步骤,又拍云提供一套更为简洁明了的流程,从 SSL 证书的申购、管理到部署,三步即可完成。同时,又拍云与国际顶级 CA 机构合作,证书类型丰富,操作流程简单方便。