Shulou(Shulou.com)06/01 Report--

In recent years, the Internet has undergone earth-shaking changes, especially the HTTP protocol, which we have always been accustomed to, is gradually replaced by HTTPS protocol, and with the joint promotion of browsers, search engines, CA institutions and large Internet enterprises, the Internet has ushered in a "new era of network-wide HTTPS encryption." Enterprise sites have now fully opened the HTTPS mode, including personal blogs, App of Apple App Store and Mini Program of Wechat. Site-wide HTTPS has also been enabled. HTTPS will completely replace HTTP to become the mainstream of transport protocol in the next few years.

High Security Hidden danger of HTTP

The transmission characteristic of HTTP is plaintext transmission, and any data transmitted through HTTP protocol is unencrypted and can be seen by anyone. HTTP plaintext transmission provides convenience for hackers such as page hijacking, page tampering, data disclosure, mu horse injection and so on, so the risk of user privacy disclosure is very high.

Several common forms of intermediate content hijacking that are harmful are as follows:

1. Get the mobile phone number and search content of the wireless user and harass the user privately through telephone advertising.

2. Obtain the user account cookie and steal the useful information of the account.

3. Add third-party content to the content returned by the user's destination website, such as advertising, phishing links, implanting mu horses, etc.

What is encrypted by HTTPS?

HTTPS (HypertextTransfer Protocol Secure) secure Hypertext transfer Protocol, which is developed by Netscape and built into its browser to encrypt and decrypt data and return the results sent back on the network. To put it simply, it is the secure version of HTTP, that is, the SSL layer is added under HTTP, and the request data is encrypted in the SSL layer. HTTPS secure Communication Mode (HTTP+SSL/TLS), which transmits all HTTP protocols using TLS encryption.

HTTPS provides three functions: content encryption, identity authentication and data integrity. The purpose is to encrypt data for secure data transmission. The details are:

First, data confidentiality. Ensure that the content will not be seen by a third party during transmission.

Second, data integrity. Discover the transmission content tampered with by a third party in time.

Third, identity authentication. Authenticate the real identity of the website server to ensure that the data reaches the desired destination.

HTTPS's trust inheritance is based on a certificate authority pre-installed in the browser, or CA for short. By default, browsers will have some root certificates of CA institutions, and only certificates issued by trusted CA institutions will be trusted by browsers.

What are the benefits of deploying HTTPS?

① improves site search rankings: HTTPS sites perform better in search engines. Both Google and Baidu have made it clear that HTTPS sites are a priority.

② compliance with PCI DSS compliance: SSL is a key component of PCI compliance

③ speeds up page loading: at a meeting at Velocity, Load Impact and Mozilla reported that Internet users can optimize HTTP/2 to perform 50-70% better than websites on HTTP/1.1. But if you want to take advantage of the performance advantages of HTTP/2, you must first deploy HTTPS.

④ conforms to the national information security level protection: Isobao 2.0 puts forward higher requirements for the use of cryptographic technology, communication transmission should use cryptographic technology to ensure the confidentiality of sensitive information fields or the whole message in the communication process, HTTPS protocol should be opened, and authentication information should be transmitted through these encryption methods.

⑤ meets iOS ATS requirements: in order to promote HTTPS, Apple also announced on WWDC 2017 that the new App must enable APS (App Transport Security) security features.

⑥ higher security: HTTPS website can prevent users' private information such as user name, password, transaction record, residence information from being stolen and falsified, and finally ensure the security of website data transmission. After installing the SSL certificate, the browser has a built-in security mechanism to check the status of the certificate in real time and show users the authentication information of the website through the browser, so that users can easily verify the true identity of the website, prevent people from hijacking, and identify fraudulent, phishing and other fake websites.

⑦ improves the company's brand image and credibility: the browser will appear secure (or small lock pattern) if the SSL certificate is installed, and the insecure prompt will appear on the site without the SSL certificate.

If the EV SSL certificate is deployed, the green address bar and organization name will also be displayed, telling users that they are visiting a secure and trusted site, which can greatly enhance the brand image and credibility of the enterprise.

Concerns about using HTTPS

Application is cumbersome: many people will think that there is a threshold for HTTPS implementation, which lies in the need for an SSL certificate issued by the authoritative CA. From certificate selection, application, purchase to deployment, it is time-consuming and labor-consuming.

HTTPS performance consumption is high: encrypted communication consumes more CPU and memory resources than plain text communication. If each communication is encrypted, it will consume a considerable amount of resources, but this is not the case, and users can solve this problem by optimizing performance and deploying certificates on SLB or CDN. After optimization, the performance of many pages is the same as that of HTTP or even slightly improved.

HTTPS operation and maintenance problem: SSL certificate management takes time and energy. There are some operation and maintenance problems, such as insecure external chain, SSL loopholes and certificate expiration caused by negligence on HTTPS website.

At present, certificate management platforms in the market, such as 51SSL, can start from issuing orders online independently to the whole life cycle management platform of the entire certificate. Cover all the use links of SSL certificate, achieve one-stop application, online payment, audit, issuance, deployment, management

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.