[Computer network] --- HTTP and HTTPS protocol detailed

[Computer network] HTTP and HTTPS protocol detailed

Introduction : When we open a web page, a wonderful journey begins as an important window for the world to know, from the open web page or enter a URL, which have taken place in the middle in the end what it? With these doubts, we work together to explore the mysteries of this one!

One .URL

Definitions : On www each has a unified information resource and the only Internet address, the address is called the URL (Uniform Resource Locator, uniform resource locator), it is www Uniform Resource Locator, refers to the network address.
Syntax : URL consists of three parts: the type of resources, storage resources of the host domain name, the resource file name.
It may also be considered consists of four parts: the protocol, host, port, path

Browser, enter the URL
1Enter the URL you want to access in the browser.
2The browser looks up the IP address of the domain name, you first need to confirm that the domain name corresponding to the IP address of the server, the DNS server to resolve the name into the corresponding IP address of the server.
DNS lookup process:

• · Browser Cache: The browser caches DNS records for a period of time, usually between 2 minutes to 30 minutes.
• • System cache: If the browser cache needs no record is found, the browser will make a system call (ie gethostbyname function), so that you can easily get the recording system cache.
• · Router cache: Next, the previous query requests sent to the router, it is generally that will have its own DNS cache.
• · ISP DNS cache: Then we should check ISP caching DNS server, where the corresponding cache recording in general can be found.
• · Recursive search: final, ISP's DNS server from the root domain name server recursive search began, from the .com top-level domain server to the site's domain name server, DNS server's cache generally have the .com domain name server domain name.

3According to the HTTP protocol format, organization HTTP request (HTTP protocol format)
4. Build TCP client (TCP connection-oriented protocol format characteristics ---- reliable transmission)
5. The layers were sent to the server through the packaging, routing

6The server parses the HTTP protocol according to a format request, service processing, the corresponding data organization sends a HTML response to the client, the server after receiving the request by the web server (http server should be exact) to process the request, such as Apache, Ngnix, IIS and so on. web server resolves a user request, to know what resources need to schedule file, and then process the user request and the corresponding parameters of the resource files, and call database information, and then return the result to the browser client via the web server.

7Close three-way handshake, waving four times to end the connection.
8The browser parses HTML, precisely, the browser needs to load parse more than just HTML, also including CSS, JS. Other media resources, and also to load images and videos. Browser by parsing HTML, DOM tree is generated, CSS parsing, generating CSS rules tree, and then generate the DOM tree by tree and render CSS rules tree. Rendering different DOM tree and the tree, and does not render tree head, is none other display node does not have to be displayed. It should be noted that the resolution process browser is not carried out in series, for example, while parsing CSS, you can continue to load parse HTML, but when parsing JS script execution, follow-up will stop parsing HTML, which will appear blocking issues .
9The browser layout rendering, according to the render tree layout, CSS style computing, namely the size and position of each node in the page geometry information. HTML is the default flow layout, CSS and js will break this layout, change the appearance of the style and the size and location of the DOM. Then we should mention two important concepts: repaint and reflow.
10The final browser interface to the user.

Two .HTTP agreement

1.http protocol describes
①HTTP protocol (HyperText Transfer Protocol, Hypertext Transfer Protocol) is the Internet's most widely used network protocol, all WWW documents must be to comply with the protocol standard.
②HTTP protocol is based on TCP / IP communication protocol to transfer data (such as HTML files and images, and other information on top of the query results page to access the URL)
③HTTP agreements are usually carried over the TCP protocol, then our HTTPS is on its basis Add a TLS or SSL protocol.

④HTTP protocol is an application layer protocol, composed of a request and response, is a standard client-server model. Note: HTTP is a stateless protocol.
⑤HTTP default port is port 80.

2.HTTP request method

No.	method	description
1	GET	Request page information specified, and returns the entity body.
2	HEAD	Similar to the GET request, returns a response but not the specific content, for obtaining the header
3	POST	Submitting data to the processing request specified resource (e.g., file submission form or upload). Data contained in the request body. POST request may result in a revision to establish and / or existing resources to new resources.
4	PUT	Data transmitted from the client to the server designated to replace the contents of the document.
5	DELETE	Requests the server to delete the specified page.
6	CONNECT	HTTP / 1.1 protocol can be reserved for connection to the proxy server pipeline mode.
7	OPTIONS	It allows the client to view server performance.
8	TRACE	Echo request received by the server, mainly for testing or diagnosis.
9	PATCH	It complements the PUT method, used locally known resource update.

3.HTTP request format
HTTP request format without body (parameters):

HTTP request has a format body (parameters):

请求行:
    方法:
        GET 获取资源
        POST 向服务器端发送数据，传输实体主体
        PUT 传输文件
        HEAD 获取报文首部
        DELETE 删除文件
        OPTIONS 询问支持的方法
        TRACE 追踪路径
    协议/版本号
    URL
    
请求头:
    通用首部(General Header)
    请求首部(Request Header)
    响应首部(Response Header)
    实体首部(Entity Header Fields)
    
请求体

4.HTTP protocol features:

• Stateless: no agreement on a client state storage, there is no "memory" ability to handle things, such as visiting a website require repeated login.
• No connection: HTTP / 1.1 before, due to the characteristics of the stateless, each request needs to shake hands waved through TCP three-four times, and re-establish the server connection. For example, a client with multiple requests in a short time a resource server and can not distinguish whether the response has been a user's request, it always needs to respond to requests, consuming unnecessary time and traffic.
• Based on requests and responses: basic characteristics, initiated by the client request, simple and fast, flexible service-side response.
• Using plaintext communication request and the response will not confirm the communication party does not protect data integrity.

Workflow 5.HTTP
an HTTP operation is called a transaction, their work is divided into four steps

• First, the client and the server needs to establish a connection, simply click on a hyperlink, HTTP began to work.
• After the connection is established, the client sends a request to the server, the request means the format: Uniform Resource Identifier (URL), protocol version number, the back is a MIME message includes a request modifiers, client information and possible content.
• After the server receives a request, to give the corresponding response information, the format of a status line comprising a protocol version number information, a success or error code back is a MIME information includes server information, entity information and possible content.
• The client receives the information returned by the server displayed by the browser on the user's display, then the client and server is disconnected.

Three .HTTPS agreement

1.HTTPS Protocol Overview:
①HTTPS (Secure Hypertext Transfer Protocol) Secure Hypertext Transfer Protocol.
② HTTPS is a secure communications channel, based on the development of HTTP, for exchanging information between the client computer and the server.
③ HTTPS using Secure Sockets Layer (SSL) to exchange information, in short, it is safe to do HTTP.
④HTTPS is developed by Netscape and built into its browser for data compression and decompression operations, and returns the result transmitted through the network.
⑥ Application of Netscape's Secure Socket Layer SSL HTTPS world as a sub-layer HTTP application layer
⑦HTTPS uses port 443 instead of HTTP port 80 so as to use and TCP / IP to communicate
using SSL 40 keywords as RC4 stream encryption algorithm, which for business information encryption is appropriate.
⑧HTTPS and SSL support the use of X.509 digital certificates.
2.HTTPS principle:
①The client list of supported algorithm and it is used as a key to generate a random number sent to the server.
② Server selection algorithm from an encryption algorithm list, and it sends the certificate comprising a public key server to the client; also contains the server certificate identification for authentication purposes, while also providing a server as generating a random number key.
③ The client verifies the server certificate (for verifying certificates, digital signatures reference may be), and extracts the public key of the server; Then, generates a random password string called pre_master_secret and the server using its public key encryption (reference asymmetric encryption / decryption), and sends the encrypted information to the server.
④ Client and server independently calculates an encryption and MAC keys (refer to a DH key exchange algorithm), and a random value pre_master_secret The client and the server.
⑤ The client sends all MAC value handshake message to the server.
⑥ The server sends all of the MAC values ​​handshake message to the client.

3.HTTPS encryption, decryption features
borrowed from big brother's picture: https: //blog.csdn.net/kobejayandy/article/details/52433660

①The client initiates HTTPS requests
②Server configuration

• 1. Using HTTPS protocol server must have a digital certificate, you can make your own, you can also apply to organizations
• 2. The difference is that the certificate requires its own way of client authentication through before they can continue to access, and use a trusted certificate will not pop-up prompts page
• 3. This certificate is actually a bunch of public and private keys transfer certificate

③This is actually a public key certificate that contains a lot of information
④Client certificate parsing

• 1. by the TLS client to complete, will first verify the validity of the public key
• 2. If the certificate is not the problem, it generates a random value
• 3. encrypts the random value is then with the certificate

⑤Transmit encrypted information

• 1. This part of the transmitted random value is encrypted with a certificate
• 2. The purpose is to allow the server to get this random value, after the communication client and server can be encrypted decrypted by the random value of

⑥The server decrypts the information

• 1. After the server private key to obtain the private key to the client through, and then by encrypting the symmetric content value

• 2. The so-called symmetric encryption, the private key information and an algorithm by mixing together, so unless you know the private key, or can not get content, but just the client and server are aware of this private key, so long as the encryption algorithm sturdy enough , private complex enough, enough data security.

⑦Traffic encryption information

• 1. This information is part of the private key to encrypt the service information segment, the client may be reduced

⑧The client decryption information

• The server private key to decrypt information coming generation before end with 1 client, so get the decrypted content

4.HTTPS design goals:
(1) Data Confidentiality: to ensure that data will not be content to see a third party in the process of transmission. Like couriers deliver parcels, as they are the package, others can not know what was inside.

(2) Data integrity: transmitting the content to detect tampering by a third party. As though courier parcel installed do not know what, but he could stuff the way, refers to data integrity if substitution, we can easily find and rejected.

(3) identity verification security: to ensure that data arrives at the user's desired destination. Like when we parcel post, although it is not a packaged stuff package, but must be sure that the package will not send the wrong place, through identity verification to ensure that the right place to send
5.HTTPS advantages:

• 1. https protocol and the user authentication server, transmits the data to ensure that the correct client and server.
• 2.https protocol is constructed by SSL + http encrypted transmission protocol, a network authentication protocol, the http protocol than security, to prevent data from being stolen during transmission, changes to ensure data integrity.
• 3.https under the current framework is the most secure solution, though not absolute security, but it greatly increases the cost of the middleman attack.

6.HTTPS Disadvantages:

• 1.https protocol handshake stage time-consuming, page load time will be extended.
• 2.https not as good as http connection cache efficiency, increase data overhead, even existing security measures will also be affected.
• 3.https security protocol is to have a range of hacker attacks, denial of service attacks and server aspects such as what role hardly of hijacking.
• 4.SSL证书通常需要绑定IP，不能在同一IP上绑定多个域名，IPv4资源不可能支撑这个消耗。
• 5.成本增加。部署 https后，因为 Https协议的工作要增加额外的计算资源消耗，例如 SSL 协议加密算法和 SSL 交互次数将占用一定的计算资源和服务器成本。
• 6.https协议的加密范围也比较有限。最关键的，SSL证书的信用链体系并不安全，特别是在某些国家可以控制CA根证书的情况下，中间人攻击一样可行。

四.HTTP与HTTPS区别(重中之重)

不同点：

• 1.https协议需要到CA （Certificate Authority，证书颁发机构）申请证书，一般免费证书较少，因而需要一定费用。
• 2.https在TCP三次握手阶段以后，还需要进行SSL的headshake，协商加密使用的对称加密密钥。http是超文本传输协议，信息是明文传输，https则是具有安全性的ssl加密传输协议。
• 3.http和https使用的是完全不同的连接方式，用的端口也不一样，前者是80，后者是443。
• 4.http的连接很简单，是无状态的。Https协议是由SSL+Http协议构建的可进行加密传输、身份认证的网络协议，比http协议安全。(无状态的意思是其数据包的发送、传输和接收都是相互独立的。无连接的意思是指通信双方都不长久的维持对方的任何信息。)
• 5.http是超文本传输协议，信息是明文传输，https则是具有安全性的ssl加密传输协议。

相同点：

• 1.都是采用同一个基础协议作为HTPP或HTTPS客户端—浏览器
• 2.设立一个连接到Web服务器指定的端口
• 3.服务器接收到请求，会返回一个状态码以及消息
• 4.系统使用统一资源定位器URI模式，因此资源可以被唯一指定

五、如何正确选择HTTP协议和HTTPS协议

By analyzing the front we know that in order to ensure the security, HTTPS protocol through a series of data transmission encryption, install certificates and other operations, performance and efficiency will greatly reduce the site, and there is a range of security, hacker attacks , denial of service attacks and server hijacking and almost achieve any effect, so many, in use, if need some confidential documents or information, we can use HTTPS protocol for transmission. In addition, HTTPS will consume a lot of costs because SSL certificates need to buy the more expensive the more powerful certificate. In summary, HTTP protocol, although unsafe, but its efficient and convenient features of any course is the most widely used Internet network transport protocol.