Shulou(Shulou.com)06/02 Report--

How to quickly understand Https, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Introduction to HTTPS

HTTPS:https is the combination of http and ssl, in order to solve the problem of information leakage caused by plaintext transmission of http. Ssl ensures the encryption of the communication between the client and the server through the public key and the private key, and the digital certificate of the authority method eliminates the possibility of man-in-the-middle attack. The default port is 443.

SSL needs to apply for a certificate from ca. Generally, there are few free certificates, so there is a certain fee. (the author has been using Aliyun. There is a free ssl application, which is quite suitable for personal use. It is said that other cloud providers also have free ssl)

For a detailed explanation of the development history of HTTP and HTTP2, you can click to view this article

For a detailed explanation of the TCP handshake and wave process in a HTTP connection, you can click to view this article

HTTPS workflow

Client sends a request https://baidu.com to server and connects to port 443 of server.

The server must have a set of digital certificates, which can be made by itself or applied to the organization. The difference is that the self-issued certificate needs to be verified by the client before you can continue to access it, while the certificate applied for by a trusted company does not pop up a prompt page. This set of certificates is actually a pair of public and private keys.

Send the certificate. This certificate is actually a public key and only contains a lot of information, such as the issuing authority of the certificate, the expiration time, the public key of the server, the signature of the third-party certificate certification authority (CA), the domain name information of the server, and so on.

Client resolves the certificate. This part of the work is done by the client's TLS, which will first verify whether the public key is valid, such as the issuing authority, expiration time, and so on. If an exception is found, an alarm box will pop up to indicate that there is a problem with the certificate. If there is nothing wrong with the certificate, a random value (secret key) is generated. The random value is then encrypted with a certificate.

Send encrypted messages. What this part transmits is the secret key encrypted with the certificate, the purpose is to let the server get the secret key, and then the communication between the client and the server can be encrypted and decrypted through this random value.

Encrypted information in the service segment. The server decrypts the secret key with the private key, obtains the private key passed by the client, and then encrypts the content symmetrically through this value.

Transmit encrypted information. This part of the information is encrypted by the server with a private key and can be restored on the client.

The client decrypts the information. The client uses the previously generated private key to decrypt the information sent by the server, so the encrypted content is obtained.

Related nouns explain symmetric encryption algorithm (symmetric key algorithms)

In the symmetric encryption algorithm, the key used in encryption is the same as that used in decryption, so if the symmetric encryption algorithm wants to ensure security, the key should be kept secret, which can only be known to the users and cannot be made public. In symmetric encryption algorithm, both encryption and decryption use the same key, and there is no distinction between public key and private key.

A key, usually a string or number, is passed to the encryption / decryption algorithm when encrypted or decrypted.

Asymmetric encryption algorithm (asymmetric key algorithms)

In asymmetric encryption algorithm, the key used in encryption is different from that used in decryption.

Note: the private key encrypted ciphertext can be decrypted as long as it is the public key, but in turn, only the private key can decrypt the public key encrypted ciphertext. Only one person has the private key, while the public key can be sent to all people.

Man in the middle attack

Man-in-the-middle attack (Man-in-the-MiddleAttack) means that hackers intercept and tamper with communication data in the network. It is divided into passive MITM and active MITM. Passive MITM only steals communication data without modification, while active MITM can not only steal data, but also tamper with communication data. The most common man-in-the-middle attacks often occur on public wifi or public routes.

The picture shows that when the client actively sends a message:

Secure Transmission of Digital Certificate

In order to prevent man-in-the-middle attack, what needs to be solved urgently in the whole transmission process is to ensure that the public key received by the client is sent by the server. For this reason, a digital certificate is proposed. The digital certificate is issued by the authoritative CA institution to the server. The CA institution generates the certificate through the relevant information provided by the server, and the certificate contains the holder's relevant information, public key, signature information of the signer and so on. The most important thing is that the public key is in the digital certificate. How does a digital certificate ensure that the public key comes from the requested server? Through the relevant information of the holder on the digital certificate, it can be determined that it is not a middleman; but the certificate can also be forged, how to ensure that the certificate is true? A certificate contains three parts: "certificate content (F1), encryption algorithm (A), encryption ciphertext (F3')". The relationship between the three is shown below. The certificate content F1F is calculated by the hash algorithm SHA1, and then RSA is encrypted using the private key provided by the CA institution.

When the client initiates a request, the server sends the digital certificate to the client, and the client decrypts the encrypted ciphertext (F3) through the public key and retrograde decryption provided by the CA institution to get F2. At the same time, the certificate content (F1) is hashed into F2 using SHA1. If the two are equal, the certificate is fine.

Because the hijackers do not know what the private key used in the original encryption is, they can never forge a correct certificate that can pass the above verification.

Cost of using HTTP

Security considerations:

The encryption scope of HTTPS protocol is also limited, which can hardly play a role in hacker attacks, denial of service attacks, server hijacking and so on.

The credit chain system of SSL certificate is not secure, especially when some countries can control CA root certificate, man-in-the-middle attack is also feasible.

Cost considerations:

SSL certificates usually need to be bound to IP and cannot be bound to multiple domain names on the same IP. IPv4 resources cannot support this consumption. SSL has an extension that can partially solve this problem, but it is troublesome, and Windows XP does not support this extension because it requires browser and operating system support. Considering the installed capacity of XP, this feature is almost useless.

According to ACM CoNEXT data, using the HTTPS protocol increases the loading time of pages by nearly 50% and increases power consumption by 10% to 20%.

The server-side resource consumption of HTTPS connection is much higher, and it is more expensive to support websites with more visitors.

The handshake phase of HTTPS protocol is time-consuming, which affects the response speed of the website and the user experience. A better way is to divide and conquer, similar to the home page of 12306 sites using HTTP protocol, about user information and other aspects of using HTTPS.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.