You even do not understand the principle of HTTPS, also stresses "man in the middle attack"?

HTTPS

With the establishment of the decline in the cost of HTTPS, and now most of the sites have already begun to spend HTTPS protocol. We all know that HTTPS security than HTTP, also heard of concepts associated with the HTTPS protocol has SSL, asymmetric encryption, CA certificate, but for the following three tortured souls might not answer on:

1. Why use HTTPS is safe?
2. How the underlying principle of HTTPS implementations?
3. We must use the HTTPS secure?

This article layers of depth, from the principle of the security of HTTPS drive home.

The principle of HTTPS

You may have heard HTTPS protocol reason why is because the data is secure HTTPS transmission protocol will be encrypted, but the encryption process is the use of asymmetric encryption implementation. But in fact, HTTPS encryption used on the content transmission is symmetric encryption, asymmetric encryption to act only in the credential verification phase.

The whole process is divided into HTTPS certificate authentication and data transfer phase, the specific interaction is as follows:

① certificate validation phase

1. HTTPS browser to initiate a request
2. The server returns the HTTPS certificate
3. Client authentication certificate is legitimate, if sub-rule prompt warning

② data transfer phase

1. When the certificate validation method, a random number generated locally
2. Encrypted random number by the public key, and the encrypted random number transmitted to the server
3. The server decrypts the random number by private
4. Symmetric encryption algorithm server client structure incoming random number, the content of the results returned encrypted transmission

Why is the data transmission is encrypted with a symmetric?

First, asymmetric encryption and decryption efficiency is very low, usually a large number of interactions between the application scenario http client and the client, the efficiency of asymmetric encryption is unacceptable;

Further, the HTTPS server scenario only save the private key, only one pair of public and private key encryption and decryption of the one-way, so the contents of the HTTPS transmission is encrypted symmetric encryption taken without asymmetric encryption.

Why CA certification authority to issue certificates?

HTTP protocol is considered unsafe because the transmission process is easily listener hook line monitoring, fake server, and network transmission of the HTTPS protocol is mainly to solve the security issues.

First, we assume that the certification body does not exist, anyone can create a certificate, which bring security risk is the classic "man in the middle attack" the problem.
"Man in the middle attack" the process is as follows:

Process works:

1. A local request hijacked (e.g., DNS hijacking), all requests sent to the intermediary server
2. Middleman middleman own certificate server returns
3. The client creates a random number, the public key certificate is transmitted to the intermediary intermediary after the random number encrypted with the random number and configuration of the content transmission symmetric encryption encrypted transmission
4. Middleman because they have a random number of the client, the content may be decrypted by the symmetric encryption algorithm
5. Intermediary to request the contents of the client's website to initiate the formal request again
6. Because the communication process with the server middleman is legal, regular site returns the data encrypted by the establishment of a secure channel
7. With symmetric encryption algorithm middleman established with regular site to decrypt the content
8. Intermediary encrypted transmission data returned by the content regular symmetric encryption algorithms established with the client
9. The client decrypts the resultant data returned by the symmetric encryption algorithm established intermediaries

Due to the lack of verification of certificates, the client is initiated despite HTTPS request, but the client does not know its own network has been blocked, all the content is transmitted to steal middleman.

How the browser is to ensure the legitimacy of the CA certificate?

1. The certificate contains what information?

• Authority Information
• Public Key
• company information
• domain name
• Validity
• fingerprint
• ……

What legitimacy is based 2. certificate?

First, the authority is to have certified, not just an institution are eligible to issue a certificate, or is not called the authorities. In addition, the certificate of credibility based on trust system, authorities need to credit their endorsement certificates issued, as long as the certificate authority is generated, we considered legitimate. So the information the authority will review the applicant's different levels of authority to audit requirements are not the same, so the certificate is also divided into free, cheap and expensive.

3. How the browser to verify the legitimacy of the certificate?

When a browser initiates HTTPS request, the server will return to the site's SSL certificate, the browser needs to do the following validation certificates:

1. Verify domain name, expiration date information is correct. It contains information on the certificate are relatively easily verified;
2. To determine whether a certificate from legitimate sources. Each issue certificates based on the authentication chain can find the corresponding root certificate, operating system, browser local storage root certificate authority, use of local root certificate may be issued a certificate of completion to verify the origin counterparts;
   
3. Determine whether the certificate has been tampered with. You need to check with the CA server;
4. Determine whether the certificate has been revoked. By CRL (Certificate Revocation List Certificate Revocation List) and OCSP (Online Certificate Status Protocol Online Certificate Status Protocol) implementation, which can be used to interact OCSP step 3 to reduce the CA server and improve verification efficiency

The case of any of the above step are met browser considers a certificate is legitimate.

I would like to insert here a long time, but the answer is actually very simple question:
Since the certificate is public, if you want to launch the-middle attack, I downloaded a copy of my certificate as a server certificate on the official website, the client will certainly agree that this certificate It is legitimate, how to avoid fraudulent use of such a certificate?
This fact, in public and private key to encrypt the symmetric non-useful, although intermediary certificate can be obtained, but the private key can not be acquired, it is impossible to calculate a public key corresponding to the private key, the certificate can not get even intermediary disguised legitimate server, because the client can not decrypt incoming encrypted data.

4. Only certification bodies can generate certificates?

If you need the browser does not prompt a security risk, it can only use the certificate issued by the certification body. But usually only browser prompts security risks, do not limit the sites can not access, so technically anyone can generate a certificate, the certificate can be completed as long as there HTTPS transmission site. For example, an early form of the 12306 is used to manually install the private certificate implementation HTTPS access.

Local random number is stolen how to do?

Certificate verification is implemented using asymmetric encryption, the transfer process is the use of symmetric encryption, symmetric encryption algorithms of which is important in the random number is generated by and stored locally in the local, HTTPS how to ensure that the random number will not be stolen?

In fact, HTTPS does not include security guarantees for random numbers, only HTTPS to ensure security during transmission, storage and random number belonging to another category of local security, local security, measures to deal with the mounting anti-virus software, anti-Trojan, browser upgrade bug fixes and so on.

HTTPS will get caught up with it?

HTTPS data is encrypted, packet after packet capture tool agent content request is caught under conventional encryption state can not directly see.

But, as previously mentioned, the browser will prompt a security risk if the authorized user can continue to access the site, complete the request. Therefore, as long as the client is our own terminal, in the case of our authorized intermediary will be able to set up the network, and packet capture tool is acting as an intermediary agent. Use HTTPS capture tool is typically generates a certificate, the user needs to manually install the certificate to the client, and then all requests initiated by the terminal to interact with the capture tool is completed by the certificate, and then forwards the request to the packet capture tool servers, and finally returns the results returned by the server to the terminal after the console output, thus completing the closed loop of the entire request.

Since the anti-HTTPS can not capture, and that HTTPS what is the point?
HTTPS communication link is possible to prevent the user listen without the knowledge, the credit for the active capture operation is not to provide protection, because this is the scene the user has been informed of the risk. To prevent capture, need to use application-level security, such as the use of private symmetric encryption, while making anti-moving side decompile reinforcement to prevent local algorithm is broken.

to sum up

The following summarize the full text with a brief Q & A form:

Q: HTTPS Why security?
A: Because HTTPS to ensure the transmission security, to prevent the transfer process be monitored to prevent data theft, can confirm the authenticity of the site.

Q: HTTPS transmission process is like?
A: HTTPS client initiates the request, the server returns the certificate, the client certificate for authentication on the locally generated random number by a symmetric encryption algorithm for the transformation of the random number is encrypted by the transmission of the public key certificate to the server , the server receives the random number obtained by decrypting the private key, after the data interaction performed by the symmetric encryption algorithm decryption.

Q: Why do I need a certificate?
A: to prevent the "middleman" attacks, and can provide proof of identity for the site.

Q: HTTPS will get caught using it?
A:'ll get caught, HTTPS communication only prevent users from unknowingly being monitored, and if the user is actively credit, it can build a "middleman" network, proxy software can decrypt the transmission content.

BLOG Address : www.liangsonghua.com

Focus on micro-channel public number: preserved egg blackboard, get more exciting!

Public No. Description: sharing technology insights to work in Jingdong, as well as JAVA technology and industry best practices, most of them are pragmatic, can understand, reproducible