“This is the third day of my participation in the November Gwen Challenge. See details of the event: The last Gwen Challenge 2021”.

The basic concept

What are HTTP and HTTPS respectively

HTTP

Hypertext transfer protocol, an application-layer protocol for distributed, collaborative, and hypermedia information systems.

Simply put, it is a method of publishing and receiving HTML pages that are used to transmit information between the Web browser and the Web server.

HTTP works on TCP port 80 by default. The standard HTTP service starts with http:// when users visit websites.

HTTP sends content in plaintext and does not provide any data encryption. If an attacker intercepts a packet transmitted between a Web browser and a Web server, the attacker can directly understand the packet. Therefore, HTTP is not suitable for transmitting sensitive information, such as payment information such as credit card numbers and passwords.

HTTPS

Hypertext Transfer Security protocol (HYPERtext Transfer Security Protocol) is a transport protocol for secure communication over computer networks. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. HTTPS is developed to provide identity authentication for web servers and protect the privacy and integrity of exchanged data.

HTTPS works on TCP port 443 by default. Its workflow is generally as follows:

1. TCP three-way handshake

2. The client verifies the digital certificate of the server

3. The DH algorithm negotiates the keys of the symmetric encryption algorithm and hash algorithm

4. The SSL encryption tunnel negotiation is complete

5. The web page is transmitted in an encrypted way and encrypted with the negotiated symmetric encryption algorithm and key to ensure the confidentiality of data; The hash algorithm is used to protect data integrity from tampering.

HTTP is different from HTTPS

  • HTTP data is transmitted in plaintext and is not encrypted, which is insecure. HTTPS (SSL+HTTP) data is encrypted, which is secure.
  • To use HTTPS, you need to apply for a Certificate from the Certificate Authority (CA). Generally, there are few free certificates and some fees are required. Certificate authorities such as Symantec, Comodo, GoDaddy and GlobalSign.
  • HTTP pages respond faster than HTTPS, mainly because HTTP uses THE TCP three-way handshake to establish a connection. The client and server need to exchange three packets, whereas HTTPS requires the three PACKETS of TCP and the nine packets of SSL handshake, so the total number of packets is 12.
  • HTTP and HTTPS use completely different connections and use different ports, the former 80 and the latter 443.
  • HTTPS is an HTTP protocol built on TOP of SSL/TLS, so HTTPS requires more server resources than HTTP.

TCP three-way handshake

In TCP/IP, TCP establishes a reliable connection through a three-way handshake.

First handshake:

The client attempts to connect to the server and sends a SYN packet (syn Sequence number Synchronize Sequence Number) to the server. Then the client enters the SYN_SEND state and waits for confirmation from the server

Second handshake:

The server receives and acknowledges a SYN packet (ACK = J +1) from the client and sends a SYN packet (ACK = K) to the client. In this case, the server enters the SYN_RECV state

Third handshake:

After receiving the SYN+ACK packet from the server, the client sends an ACK packet (ACK = K +1) to the server. After the ACK packet is sent, the client and the server enter the ESTABLISHED state and complete the three-way handshake

How HTTPS works

It is well known that HTTPS encrypts information to prevent sensitive information from being accessed by third parties, which is why it is used for many banking websites and email services with high security levels.

1. The client initiates an HTTPS request

The user types in an HTTPS url in the browser and connects to port 443 on the server.

2. Configure the server

HTTPS servers must have a set of digital certificates, which can be made by themselves or applied to organizations. The difference is that the certificates issued by themselves need to be verified by the client before they can continue to access, while certificates applied by trusted companies will not pop up a prompt page (startssl is a good choice. There is one year free service). This certificate is a pair of public and private keys, if don’t quite understand, public and private keys can imagine as a key and a locks, but the world only you a man who had the key, you can put the locks to others, other people can use this lock lock important things up, and then sent to you, because only you a man who had the key, So only you can see what’s locked with this lock.

3. Send certificates

The certificate is actually the public key, but contains a lot of information, such as the certificate authority, expiration time and so on.

4. The client parses the certificate

This part of the work is done by TLS on the client side. First, it verifies whether the public key is valid, such as the issuing authority, expiration time, etc. If an exception is found, a warning box will pop up, indicating that there is a problem with the certificate. If the certificate is fine, then generate a random value and encrypt it with the certificate. As mentioned above, lock the random value so that you can’t see what’s locked unless you have a key.

5. Transmit encrypted information

This part transmits the random value encrypted with the certificate. The purpose is to let the server get this random value, and the communication between the client and the server can be encrypted and decrypted by this random value.

6. The server decrypts the information

The service side, after using a private key to decrypt the received client coming random value (private key), then the content through the value for symmetric encryption, the so-called symmetric encryption is that information and a private key by some algorithms are mixed together, so unless you know the private key, you can’t get access to content, and just the client and the server knows the private key, so as long as the encryption algorithm is tough enough, If the private key is complex, the data is secure.

7. Transmit encrypted information

This information is encrypted with the private key of the service segment and can be restored on the client.

8. The client decrypts the information

The client decrypts the message sent by the service segment with the previously generated private key, and then obtains the decrypted content. The whole process, even if the third party listens to the data, there is nothing to do