HTTPS

HTTPS = HTTP + SSL/TLS Hypertext transfer security protocol. Based on HTTP, the security of the transmission process is guaranteed by transmission encryption and identity authentication.

Guarantee confidentiality and integrity:

  • Symmetric encryption: Use the same key for encryption and decryption
  • Asymmetric encryption: There are two keys. Public and private keys. The private key is kept by oneself, and the public key is used publicly by others
  • Digital signature: when a user encrypts a message with a key, it is a signature. If others can decrypt the message using the public key of the user, the message is sent by the user.
  • Digital certificate: A certificate contains some plaintext information and a digital signature of that information by the issuer of the certificate (private key encryption)

HTTPS Encryption Principle (Why IS HTTPS Secure?)

Due to the high overhead of asymmetric encryption algorithms, symmetric encryption is generally used to encrypt information, while asymmetric encryption is used to encrypt the symmetric key used to encrypt information.

Symmetric and asymmetric encryption combined:

  • The browser sends an HTTPS request to the server, and the server sends the configured digital certificate to the browser
  • The browser validates the CA signature in the digital certificate and obtains the server’s public key from the digital certificate
  • The browser randomly generates a shared key, encrypts the shared key with the public key and sends it to the server
  • The server decrypts the shared key using its own private key
  • Both parties hold the same symmetric key
  • The browser uses the shared key to encrypt information and send it to the server
  • The server decrypts the information using the shared key

Conclusion: Asymmetric encryption is embodied in the certificate verification stage; Symmetric encryption is reflected in the transfer of data between the browser and the server.

HTTP VS HTTPS

  • HTTP urls start with http://, while HTTPS urls start with https://
  • The HTTP port is 80 and the HTTPS port is 443
  • HTTP is insecure because data is transmitted in plaintext. HTTPS data encryption ensures data integrity, privacy, and protection from man-in-the-middle attacks