Shulou(Shulou.com)06/01 Report--

This article mainly explains "the advantages and disadvantages and principle analysis of HTTPS". The explanation content in this article is simple and clear, and it is easy to learn and understand. Please follow the ideas of Xiaobian to study and learn "the advantages and disadvantages and principle analysis of HTTPS" together.

What is HTTPS:

HTTPS(full name: Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel with security as its goal. That is, add SSL layer under HTTP. The security foundation of HTTPS is SSL, so SSL is required for the details of encryption. HTTPS has a default port different from HTTP and an encryption/authentication layer (between HTTP and TCP). This system provides authentication and encrypted communication methods. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments.

Traditional HTTP mode, there are a large number of gray intermediate links, related information is easy to steal, but HTTPS is through authentication users and servers, data accurately sent to the client and server, and encryption to prevent data from being stolen midway, greatly reducing the risk of third-party theft of information, tampering with identity.

HTTPS security principle analysis:

HTTPS consists mainly of two parts: HTTP + SSL / TLS, which is a module that adds another layer to HTTP to handle encrypted information. Both server and client information transmissions are encrypted through TLS, so the transmitted data is encrypted data. The principle difference between HTTPS and HTTP can be observed in the following figure:

How HTTPS works:

①. the client sends a list of algorithms it supports and a random number used as a key generation to the server;

②. The server selects an encryption algorithm from the list of algorithms and sends it to the client together with a certificate containing the server's public key; the certificate also contains the server's identity for authentication purposes, and the server also provides a random number for generating the key;

③. The client verifies the certificate of the server (refer to the digital signature for verifying the certificate) and extracts the public key of the server; then, it generates a random cipher string called pre_master_secret and encrypts it with the public key of the server (refer to asymmetric encryption/decryption), and sends the encrypted information to the server;

④. The encryption and MAC keys are independently calculated by the client and server based on pre_master_secret and random values of the client and server (refer to DH key exchange algorithm).

⑤. the client sends MAC values of all handshake messages to the server;

⑥. The server sends MAC values of all handshake messages to the client.

Advantages and disadvantages of HTTPS:

According to case feedback, the advantages and disadvantages of HTTPS are mainly distributed in three aspects:

Advantages of HTTPS:

terms of safety

In the current technical context, HTTPS is the most secure solution under the current architecture, with the following main benefits:

1. Use HTTPS protocol to authenticate users and servers and ensure that data is sent to the correct clients and servers;

HTTPS protocol is a network protocol built by SSL+HTTP protocol that can be encrypted for transmission and identity authentication. It is safer than http protocol, which can prevent data from being stolen and changed during transmission and ensure the integrity of data.

HTTPS is the most secure solution under the current architecture, although not absolutely secure, but it significantly increases the cost of man-in-the-middle attacks.

Disadvantages of HTTPS:

technical aspects

Under the same network environment, HTTPS protocol will increase the load time of pages by nearly 50%, and increase the power consumption by 10% to 20%. In addition, HTTPS protocol also affects caching, increasing data overhead and power consumption.

The security of HTTPS protocol has a range, and it has little effect on hacking attacks, denial of service attacks, server hijacking, etc.

3. The most critical thing is that the credit chain system of SSL Certificates is not safe. Man-in-the-middle attacks are just as feasible, especially if some countries can control CA root certificates.

terms of cost

SSL professional certificates need to be purchased, the more powerful the certificate, the higher the cost. Personal website, small website can choose entry-level free certificate.

2. SSL Certificates usually need to be bound to a fixed IP. Adding a fixed IP to the server will increase a certain fee;

3. HTTPS connection takes up a lot of server-side resources, which will increase bandwidth and server input cost under the same load;

Since HTTPS has so many shortcomings, it should not be done, of course not, with the development of technology, many shortcomings can be optimized and compensated. For example:

The speed problem can be solved by CDN acceleration. Many IDCs are also launching free certificates and one-stop HTTPS building services. HTTPS costs will be greatly reduced in the future!

Should we do HTTPS?

The survey found that most people hold a wait-and-see attitude towards HTTPS, they are recognized for HTTPS security, but after considering from all levels, they have made the decision not to do HTTPS websites at present, mainly with the following two views:

square view

HTTPS has better encryption performance to avoid user information leakage

HTTPS complex transmission mode, reducing the risk of website hijacking;

3. Search engines have fully supported HTTPS crawling and inclusion, and will give priority to displaying HTTPS results;

4. From a security point of view, I personally feel that HTTPS should be done, but HTTPS can be displayed after logging in.

HTTPS green lock means that users can increase their trust in the website;

6. The basic cost can be controlled, and the certificate and server have formed a supporting scheme;

7, website loading speed can be compensated by cdn and other ways, but security can not be ignored;

HTTPS is the development trend of the network, sooner or later to do;

9. It can effectively prevent copycat and mirror websites;

opposing view

HTTPS will slow down user access and increase the computing resource consumption of website servers;

2. At present, search engines only include a small part of HTTPS content and should maintain a wait-and-see system.

HTTPS requires an encryption protocol, which increases operating costs;

4. Baidu's priority display effect on HTTPS is not obvious at present, while Google is more obvious.

5. The technical threshold is high and there is no way to start.

6, the current site does not involve private information, no HTTPS;

7. Compatibility needs to be improved, such as robots not supported/alliance advertising not supported, etc.;

8, HTTPS website security is limited, should be hacked or hacked;

HTTPS maintenance is more troublesome, in the case of search engines supporting HTTP, there is no need to do HTTPS;

HTTPS data encryption:

The confidentiality of data in HTTPS is primarily accomplished through encryption. Encryption algorithms are generally divided into two types, one is asymmetric encryption (also called public key encryption), and the other is symmetric encryption (also called key encryption).

HTTPS uses asymmetric encryption and decryption for two main purposes, one is key agreement, and the other can be used for digital signatures. The key agreement is simply to calculate the key needed for symmetric encryption and decryption according to the respective information of both parties. As shown below:

Symmetric encryption is encryption and decryption using the same key. As shown below:

HTTS multi-handshake and complex encryption mechanism effectively increase the security of the website, encryption mechanism and authentication mechanism can reduce the risk of website hijacking and counterfeiting!

Thank you for your reading. The above is the content of "Advantages and disadvantages of HTTPS and principle analysis". After studying this article, I believe everyone has a deeper understanding of the advantages and disadvantages of HTTPS and principle analysis. The specific use situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.