Shulou(Shulou.com)06/01 Report--

Hello, people pay more and more attention to the SSL certificate. It is often said that HTTPS is needed only on the landing page, and it will slow down the speed of the website. EVTrust clarifies some misunderstandings about the HTTPS protocol and increases the knowledge of encrypted communication on some web pages.

Misunderstanding 1: HTTPS is required only if you register on the login page

This idea is very common. People think that HTTPS can protect users' passwords, but they don't need them. Firesheep, a new plug-in for Firefox browsers, proves this idea wrong. As we can see, it is very easy to hijack other people's session on Twitter and Facebook.

The free WiFi of a cafe is an ideal hijacking environment for two reasons:

1. This WiFi is usually not encrypted, so it is easy to monitor all traffic.

2. WiFi usually uses NAT for address translation between public network and private network, and all private network clients share a public network address. This means that the hijacked session looks like it came from the original login. Take Twitter, for example, whose login page uses HTTPS, but after logging in, other pages become HTTP. At this point, the session value in its cookie is exposed. In other words, these cookie are established in the HTTPS environment, but are transmitted in the HTTP environment. If someone hijacks these cookie, he can speak on Twitter as you.

Misunderstanding 2: with HTTPS,Cookie and query string, it's safe.

Although you cannot read Cookie and query strings directly from HTTPS data, you still need to make their values unpredictable.

For example, there was a British bank that directly used sequential values to represent session id:

* you can first register an account, find the cookie, and see the representation of this value. Then, change the cookie to hijack someone else's session id. As for the query string, it can be leaked in a similar way.

Misunderstanding 3: HTTPS is too slow

Using HTTPS won't make your site any faster (it's actually possible, see below), but there are some tips that can greatly reduce the extra overhead.

First of all, as long as the text content is compressed, the CPU resources consumed by decoding will be reduced. However, for modern CPU, this cost is not worth mentioning.

Second, establishing a HTTPS connection requires additional TCP round trips, so some bytes are added to send and receive. However, as you can see from the following figure, the number of new bytes is very small.

The first time you open a web page, the HTTPS protocol is a little slower than the HTTP protocol because of the time it takes to read and validate SSL certificates. The following is a waterfall diagram of the opening time of the HTTP page.

After the same web page uses the HTTPS protocol, it takes longer to open.

The part of establishing the connection is about 10% slower. However, once a valid HTTPS connection is established and the web page is refreshed, there is little difference between the two protocols. First, the refresh performance of the HTTP protocol:

Then there is the HTTPS protocol:

Some users may find that HTTPS is a little faster than HTTP. This can happen in the internal Lans of some large companies, because typically, the company's gateways intercept and analyze all network traffic. However, when it encounters a HTTPS connection, it can only be released directly, because the HTTPS cannot be interpreted. It is precisely because of the lack of this interpretation process that HTTPS becomes faster.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.