In the previous article, I described a variety of security issues with HTTP, and to solve them, you need to use HTTPS.

HTTP plus encryption and authentication and integrity protection is HTTPS.

HTTPS is often used for communication on the Web login page and shopping and settlement interface, such as opening the login page of Taobao.

  • This parameter is no longer used when HTTPS is used for communicationhttp://Instead, usehttps://.
  • When a browser accesses a Web site with valid HTTPS communication, a lock symbol appears in the browser address bar.

HTTPS is HTTP in an SSL shell

First, be clear: HTTPS is not a new protocol at the application layer. The HTTP communication interface is replaced by the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols.

  • Typically, HTTP communicates directly with TCP.
  • When SSL is used, it evolves to communicate with SSL first and then with SSL and TCP.

SSL is a protocol independent of HTTP.

Therefore, not only HTTP, but other protocols running at the application layer, such as SMTP and Telnet, can work with SSL. SSL is the most widely used network security technology in the world today.

Public key encryption technology for exchanging keys

SSL uses a type of encryption called public-key cryptography.

But before we go any further, here are two:

  • Shared key encryption.
  • Public key encryption.

1. Encrypt the shared key

Encryption and decryption use the same key (also called symmetric key encryption). During encryption, the key must also be sent to the peer party. Therefore, how to securely deliver the key to the peer party is a problem.

  • If the communication is monitored as the key is forwarded over the Internet, the key could fall into the hands of an attacker, and the point of encryption would be lost.
  • In addition, the recipient must try to secure the received key.

2. Public key encryption

In view of the above problems, there is a public key encryption. The solution is simple: if I’m worried about the key being stolen in the process of sending it, why don’t I just send it?

Thus, public-key encryption uses a pair of asymmetric keys, respectively:

  • Private key: A private key cannot be made known to anyone else.
  • Public keys: Public keys are freely distributed and available to anyone.

The interaction process is as follows (ciphertext sender A, receiver B) :

  1. User A uses user B’s public key for encryption.
  2. User A sends an encrypted message to user B.
  3. After receiving the encrypted message, user B decrypts the message using its private key.

In this way, there is no need to send the private key for decryption, and there is no need to worry about the key being eavesdropped and stolen by an attacker.

In addition, even if you know the public key and ciphertext, it is extremely difficult to recover the original message.

Because decryption is evaluating discrete logarithms, it’s not easy to do.

Taking a step back, if you can factor a very large integer quickly, there is hope for password cracking. But it’s not realistic with the current technology.

3. HTTPS uses the hybrid encryption mechanism

HTTPS uses a hybrid encryption mechanism of the preceding two encryption modes.

Because public-key encryption is more complex to handle than shard-key encryption, it is less efficient when used in communication.

Therefore, we should make full use of their respective advantages:

  • Public key encryption is used in key exchange.
  • The subsequent stage of establishing communication exchange messages uses the shared key encryption mode.

A certificate certifying the correctness of the public key

All in all, there are still some problems in the above public key encryption method:

  • There is no proof that the public key itself is a genuine public key.

For example, A intends to communicate with SERVER B in public-key encryption mode, and A does receive the public key. However, A does not know whether the public key is really from B. Perhaps the real public key has been replaced by the attacker during transmission.

Therefore, to solve this problem, you need to use public key certificates issued by the DIGITAL Certificate Authority (CA) and its related authorities.

1. What is a Digital Certificate Authority?

It is a third-party organization that is trusted by both the client and the server, such as VeriSign.

Business process:

  1. First, the server logs in its public key to the organization.
  2. The institution digitally signs the server’s public key with its own private key and issues a public key certificate (server public key + the institution’s digital signature).
  3. The server sends the certificate to a client.
  4. A client that receives a certificate verifies the digital signature on the certificate using the organization’s public key.

Once verified, it means:

  • The public key of the authentication server is a real and valid digital certificate authority.
  • The server’s public key is trusted.

OK, it looks good. However, when the server transfers the public key of authentication to the client, how to transfer it safely is also a difficult matter.

Since the transfer process is risky, try not to transfer it. As a result, most browser developers release their versions internally with public keys from common certification authorities.

When all is well, the client can use the public key to encrypt the message and send it, and the server can use the private key to decrypt the message after receiving it.

2. Type of the certificate

  • EV SSL certificates that prove the authenticity of an organization serve one purpose: to prove that the server on which the communication is taking place is in good order; another purpose is to confirm that the enterprise operating behind the server on which the communication is taking place actually exists. EV SSL certificates have this feature.
  • The client certificate used to authenticate the client can also be used in HTTPS. The client certificate is used for client authentication to prove that the server is communicating with the expected client. This can be found in some online banks. For example, when logging in to online banking, the user is required not only to enter an ID and password, but also to have a client certificate, which is used to confirm whether the user accesses online banking from a specific terminal.
  • A certificate issued by a self-certification authority is called a self-signed certificate. By using OpenSSL, an open source program, each person can build his or her own certification authority and issue a server certificate to himself or herself. However, the certificate browser may not recognize it, and will display warning messages such as “cannot confirm connection security” or “there is a problem with this website’s security certificate.”

Supposedly, certification body reputation first, credit to be absolutely reliable. But there is also the risk of hacking. In July 2011, a Dutch authentication agency called DigiNotar was hacked and issued fake certificates for sites such as Google.com and Twitter.com. The incident fundamentally shook the credibility of SSL.

The use of SSL affects speed

SSL has two types of slowness: slow communication and slow processing.

Compared with HTTP, HTTPS requires SSL communication in addition to TCP connection and SENDING HTTP request and response. Therefore, the overall traffic volume increases.

HTTPS, by contrast, is 2 to 100 times slower than HTTP

The processing speed is slow because HTTPS requires encryption on the server and client and processing on the interface, it consumes more hardware resources, such as CPU and memory.

There is no fundamental solution. However, there is an SSL accelerator (dedicated server) hardware that can remedy this problem. The hardware is dedicated to SSL communication, which can improve the calculation speed of SSL several times compared with software. Use the SSL accelerator only for SSL processing to share the load.

Why not always use HTTPS

Soul searching: If HTTPS is so secure, why don’t all Web sites use HTTPS all the time?

Cause 1 Encrypted communication consumes more CPU and memory resources than plain text communication. If every communication is encrypted, it consumes a considerable amount of resources, and the number of requests that can be processed on a single computer is bound to decrease. And some web site traffic is very large, encryption processing, server Yali Mountain.

Therefore, FOR sensitive information processing, such as user personal information, HTTPS is used to encrypt communication. For some other non-sensitive information, just use HTTP to communicate.

Reason 2: Money.

The certificates mentioned above cost money to purchase from certification agencies. As a result, services that do not pay for certificates, as well as personal websites, may choose to use HTTP instead.