1. The concept of HTTP and HTTPS
HTTP: is the Internet's most widely used network protocol, a client and a server-side request and response standard (TCP), hypertext transfer protocol for transmission from the WWW server to the local browser, it can make browsing It is more efficient, so that network traffic is reduced. http protocol is clear text transport protocol, interaction and data transfers are not encrypted, the communicating parties nor any certification, the communication process is very vulnerable to hijacking, monitoring, tamper, in severe cases, can cause malicious traffic hijacking and other issues, even resulting in disclosure of personal privacy (such as bank card number and password leak) and other serious security problems.
HTTPS: HTTP is safe for the target channel, simply, is a safe version of HTTP, HTTP added SSL layer, HTTPS security infrastructure is SSL, encryption and therefore the details will need to SSL.
The main role of the HTTPS protocol can be divided into two types: one is to establish a channel of information security, to ensure the security of data transmission; the other is to confirm the authenticity of the site.
2. HTTP and HTTPS works
HTTP: When a user After entering the address bar of the browser you want to access the Web URI, HTTP handling process begins, HTTP default port is port 80, its working mechanism, first port of the client to the server 80 establish a TCP connection, then the connection after Like the request and response and to transmit data packets. The specific process as follows:
HTTP operations once called a transaction, its entire work process is as follows :
(1), address resolution
as a client browser requests the page: http: //localhost.com: 8080 / index.htm
from decomposition of the part of the protocol name, host name, port, path and other objects, for us this address , analytical results are as follows:
protocol name: http
host name: localhost.com
port: 8080
object path: /index.html
in this step, you need to resolve the domain name system DNS domain name localhost.com, get IP address of the host.
(2) encapsulated HTTP request packet
to the machine in conjunction with their more portions of information into an HTTP request encapsulated packet
(3) encapsulated into TCP packets, TCP connection is established (TCP three-way handshake)
before the HTTP work begins, the client (Web browser) must first establish a network connection to the server, the connection is done by the TCP, the protocol IP protocol and work together to build Internet, known as the TCP / IP protocol suite, so the Internet is also known as a TCP / IP network. TCP is a higher level than HTTP application layer protocol, according to the rules, only after low-level protocol to establish, you can connect to high-level protocols, therefore, must first establish a TCP connection, TCP port number of the general connection is 80. Here is the 8080 port
(4) The client sends a request command
connection is established, the client sends a request to the server, the request means the format: Uniform Resource Identifier (URL), protocol version number, the back is a MIME message includes a request modifiers, client information and be content.
(5) in response to the server
after the server receives the request, to give the corresponding response information, the format of a status line comprising a protocol version number information, a success or error code back is a MIME information includes server information, and entity information may Content.
Entity message header information after the server sends to the browser, it sends a blank line to represent the actual format of the header information transmitting user transmits this to end, then it responds with a response Content-Type header information requested by the described data
(6) the server closes the TCP connection
Generally, once the Web server sends the requested data to the browser, it is necessary to close the TCP connection, then the browser, or if the server on which the header information is added to this line
Connection: Keep-Alive
TCP connection remains open after transmission, so the browser can continue to send the request over the same connection. Remains connected saves time required to establish a new connection for each request, further saving network bandwidth.
The server response information to the client, content body response may be a html page, it could be a picture, by the input stream read out, and written back to the display.
HTTPS: HTTPS is actually composed of two parts: HTTP + SSL / TLS, i.e. on an HTTP module added a layer of processing encrypted information. Service and client information transmitted is encrypted by TLS, so after the data transmission is encrypted data. The server sends the data to the client is encrypted, only the server and client to read, and when the data exchange is carried out, the need to use symmetric keys (below concept) to verify, but the server and how the symmetry keys to the client?
3. HTTP and HTTPS difference
(1) HTTPS protocol needs to CA (e-commerce certification bodies) to request a certificate, the certificate is generally free little need to pay.
(2) HTTP Hypertext transfer protocol, information is transmitted in the clear, HTTPS having a security is encrypted transmission protocol ssl
(3) is completely different connection ports are not the same manner, the former is 80, which is used 443 HTTP and HTTPS.
(4) HTTP connection is very simple, stateless
(5) HTTPS protocol is constructed by SSL + HTTP encrypted transmission protocol, a network authentication protocol than HTTP Protocol Security
(6) HTTPS content transmitted through an integrity check
(7) HTTPS content through symmetric encryption, each connected to generate a unique encryption key
(8) HTTPS third party can not be forged server (client) identity
4.HTTPS encryption algorithm
First introduced two concepts:
Symmetric keys : a private key to encrypt the symmetric encryption key also known, i.e., both transmit and receive data must use the same key to encrypt and decrypt the plaintext operation. There are generally two modes: stream ciphers and block cipher.
Asymmetric secret key : an asymmetric encryption algorithm requires two keys: a secret key is disclosed (the publickey) and private key (privatekey). Public key and private key are a pair, if the data is encrypted with the public key, only with the corresponding private key can decrypt; if the private key used to encrypt the data, then only with the corresponding public key can decryption. Because the encryption and decryption using two different keys, so this algorithm is called asymmetric encryption algorithm.
4.1 HTTPS ensure data security mechanisms:
HTTP is introduced very unsafe, then the process server to pass data to the client HTTPS is how to ensure the security of data in it concept of HTTP?
1. The client sends a connection request to the server side SSL; (In this process the data may be stolen in the middle square remains, it will be explained below how to ensure the safety of this procedure)
The server 2 transmits the public key to the client, and the server side holds a unique private key;
3. The client public key of the symmetric secret key encrypted communication between the parties, and sends the server with;
4. The server uses its own unique private key client to decrypt the symmetric keys, in this process, the intermediaries can not be decrypted can not decrypt it (even the client, because only the server has a unique private key ), thus ensuring the safety in the symmetric keys during the transmission, in which case, the server and the client have the exact same set of symmetric keys.
The data transmission, both the server and the client to encrypt the data decrypted using the same symmetric secret key of the public, can guarantee security during data transmission and reception, i.e., a third party acquires the packet can not be encrypted, decryption and tampering.
4.2 CA (e-commerce certification body) certification role:
Process data being stolen when present in the above-mentioned client sends a request to the server: when the server sends the public key if the client via an intermediate direction, the intermediate party does not send the public key to the client, but forged a pair of public, and sends the fake public key to the client, then the client side of the intermediate forged public key is sent to the server for their correct symmetric encryption keys by the intermediary, the intermediary party will use their forged public key to decrypt the private key, secret key symmetrical correct, the correct symmetric secret key with the server over the hair and the resulting encrypted public key to the server side, and then the correct private server daunt decrypting key, is also correct symmetric secret key, by the client, server, three intermediate side has a right symmetric keys, the data transfer may be encrypted, decryption.
In order to solve the above problems, under normal circumstances, the server will be the CA application certificate, the certificate contains some information about CA and the server (can be understood as similar official seal), so that the server certificate issued to the process of the client in the middle Fang is not forged to ensure to the client's public key is sent by the server.
