Basic understanding
https, the simple fact is an extended version of http, it is not a new agreement. In my opinion, https is used with multiplexing based http protocol and other protocols, the ultimate aim is to ensure the security of data transmission through
在这里得要说一下http的一些缺点
虽然说http在传输数据的速率上非常高,但是这个“高”是付出了一定的代价,而这些代价就造成了http的缺陷
1. http通信使用明文可能会被窃听
2. 无法验证通信双方的身份,这样就有可能遭到中间人攻击
3. 无法证明报文完整性,说白了就是我们无法保证我们所接收到的数据是来自客户端发送过来的,有可能是敌手截取报文修改了报文数据再发送给我们的。并且我们接收方不知道该报文是否完成或被篡改过
总而言之,就是http不安全(通信双方的身份无法得到保证,报文传输的安全无法得到保证)
Http and https precisely because some of the above defects arising. The following equation can be a simple description of the relationship between
https = http + ssl
ssl(Secure Sockets Layers,安全套接层)是为网络通信提供安全及数据完整性的一种安全协议
该协议所能提供的服务如下
1. 认证用户和服务端,能确认双方通信者的身份
2. 加密数据以防止数据中途被窃取
3. 维护数据的完整性,确保数据再传输过程中不被改变
ssl所提供的每一个服务都恰好一一对应我刚刚上面讲的http缺点,因此http + ssl 就能够实现数据的安全通信
Of course, in fact, there's an understanding of the https
https = http + encryption + authentication + integrity protection
加密,是使用密码学的各种加密技术,例如常见的RSA,MD5...来对报文所要传输的数据进行加密。这样就能保证数据在传输过程中能不被第三方所获取到了
认证,是对双方通信身份的认证,在这里一般是使用CA证书来对双方通信的身份进行证明。这样就能验证通信双方身份的真实性。
完整性保护,是对报文在传输过程中,对报文本身的一种保护,保护报文不会被破环。
这样看来,这种对https的理解也是没有错误的
https communication process
Communication process https than http communication process to be much more complicated. We can https communication process is divided into the following stages
- ssl communication
- http communication
1. ssl communication process
Ssl communication process object is to allow the sending end and a receiving end for key exchange. So that the client will be encrypted with a key content, the server then decrypt with a key, so that we can protect the data.
As the specific process of FIG.
In ssl communication process, achieve the following purposes
- The client identifies the identity of the server-side (obtained through a public key certificate)
- The client and server exchange a key communication will be used later
- Http ssl protection established for the communication of late, to protect the security of data transmission back
2. http communication process
For description of http traffic can refer to the article: the communication process of the HTTP network infrastructure
注:在https通信的http通信过程中,它在发送数据时会附加一种叫做mac的报文摘要。MAC能够查知报文是否遭到篡改,从而保护报文的完整性
https vs http
https Because of these mechanisms will make data communication has become very safe. But also because these mechanisms brought defect
- Compared to the slow transfer rate from 2 to 100 times http
- ssl certificate used is the need to purchase specialized certification bodies, needs money
So, https is not without drawbacks.
Here, I would like to elaborate is http and https each have their own advantages and disadvantages, we can not say better than http http or https than http. They each have their own range
Here I made a summary of a http and https
| Agreement Name | advantage | Shortcoming | Use of | example |
|---|---|---|---|---|
| http | Faster data transfer rate, low cost | Unsafe data transmission | 1. 2. The less demanding data security in claim 3. faster transmission rate limited funds | Public website |
| https | Data transmission security | Data transfer rate is slow, costs a little higher than http | 1. Data sufficient high safety requirements in claim 2. 3. The fast transfer rate requirements | Pay / private information to fill in / etc ... |
When we use http, when to use https, should also be subject to availability
End! ! !
