Have you really figured out HTTP? (a)

This is the seventh day of my participation in the August More text Challenge. For details, see:August is more challenging

Have you really figured out HTTP? (a)
Have you really figured out HTTP? (2)
Have you really figured out HTTP? (3)

What is HTTP? What’s the difference between HTTP and HTTPS?

1.1 HTTP

HyperText Transfer Protocol (HTTP) is a specification for network communication

In the computer and network world there are, there are different protocols such as broadcast protocol, addressing protocol, routing protocol and so on……

HTTP is A transmission protocol, that is, data is transmitted from A to B or B to A, and A and B can store many third parties, such as: A<=>X<=>Y<=>Z<=>B

The transmitted data is not binary packets in the bottom layer of the computer, but complete and meaningful data, such as HTML files, picture files, query results and other hypertext, which can be recognized by the upper application

In practice, HTTP is often used to transfer information between a Web browser and a Web server, sending content in plain text without any form of data encryption

Features are as follows:

Support client/server mode
Simple and fast: When a client requests service from a server, only the request method and path need to be passed. Because the HTTP protocol is simple, the program size of the HTTP server is small, so the communication speed is very fast
Flexibility: HTTP allows the transfer of data objects of any type. The Type being transmitted is marked by content-type
Connectionless: Connectionless means that only one request can be processed per connection. When the server finishes processing the customer’s request and receives the customer’s reply, it disconnects. In this way, transmission time can be saved
Stateless: The HTTP protocol cannot process the request based on the previous state

1.2 the HTTPS

In the previous introduction to HTTP, you learned that HTTP transmission information sends content in clear text, which is not secure. HTTPS was created to address the insecure features of HTTP

To ensure encrypted transmission of private data, HTTP runs on secure SSL/TLS protocols, i.e. HTTPS = HTTP + SSL/TLS. SSL certificates are used to authenticate the identity of the server and encrypt the communication between the browser and the server

SSL protocol is located between TCP/IP protocol and various application-layer protocols. When establishing a connection using SSL, browsers and servers need to select a set of appropriate encryption algorithms to achieve secure communication and provide secure support for data communication

The flowchart is as follows:

First, the client accesses the server through the URL to establish an SSL connection
After receiving a request from a client, the server sends a certificate (including the public key) supported by the website to the client
The server on the client starts to negotiate the security level of the SSL connection, that is, the level of information encryption
The browser of the client establishes the session key according to the security level agreed by both parties, encrypts the session key using the public key of the website, and sends it to the website
The server uses its own private key to decrypt the session key
The server encrypts the communication with the client using the session key

1.3 the difference between

HTTPS is the secure version of HTTP. Data is transmitted in plaintext and is not secure. HTTPS uses the SSL/TLS protocol for encryption and is relatively more secure
HTTP and HTTPS use different connection modes, and the default port is different. The HTTP port is 80, and the HTTPS port is 443
HTTPS does not perform as well as HTTP because it requires encryption and multiple handshakes
HTTPS requires SSL, and SSL certificates cost money. The more powerful certificates cost more

Why is HTTPS safer than HTTP? How secure is HTTPS?

2.1 Security Features

In the previous article, we learned that HTTP has the following problems in communication:

Communication is in plain text (not encrypted) and the content can be eavesdropped
The identity of the communicating party is not verified, so it is possible to encounter disguise

The emergence of HTTPS is to solve these problems. HTTPS is built on SSL and its security is guaranteed by SSL

With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are Security protocols that provide Security and data integrity for network communications

2.2 how to do

SSL implements these functions mainly by three means:

Symmetric encryption: The negotiated key is used to encrypt data
Asymmetric encryption: Implements identity authentication and key negotiation
Algorithm: verify the integrity of information
Digital signature: authentication

Symmetric encryption

Symmetric encryption means that encryption and decryption use the same secret key, which is symmetric. As long as the security of the key is guaranteed, the whole communication process can be said to be confidential

Asymmetric encryption

Asymmetric encryption, there are two secret keys, a public key, a private key. The two secret keys are different. The public key can be made public to anyone. The private key needs to be kept secret

Both public and private keys can be used for encryption and decryption, but the public key can be encrypted only with the private key, and the private key can be encrypted only with the public key

Mixed encryption

In HTTPS communication, symmetric encryption and asymmetric encryption are used, that is, mixed encryption

In symmetric encryption, if the security of the key can be guaranteed, the whole communication process can be said to be confidential

HTTPS uses asymmetric encryption to solve the problem of key exchange

The specific method is that the sender uses the public key of the other party to encrypt the symmetric key, and then the other party uses its private key to decrypt the symmetric key.

In this way, symmetric encryption is used for communication on the premise that the exchanged key is secure

Here’s an example:

The website keeps private keys in secret and distributes them freely on the web. All you need to do to log in to the website is to use the public key. The ciphertext can only be decrypted by the private key holder. Hackers can’t crack the cipher text because they don’t have a private key

The above method solves the data encryption, in the process of network transmission, the data may be tampered with, and hackers can forge identity to publish the public key, if you get a fake public key, then mixed encryption is not much use, your data thrown by hackers to solve

Therefore, on the basis of the above encryption still need to add integrity, authentication characteristics, to achieve real security, the implementation of this function is the abstract algorithm

The algorithm

The main means to achieve integrity is the abstract algorithm, which is often said hash function, hash function

It can be thought of as a special compression algorithm that can compress any length of data into a fixed length, unique “digest” string, as if generating a digital “fingerprint” of the data

The algorithm ensures that the “digital summary” is completely equivalent to the original text. Therefore, we can ensure data integrity by attaching a summary of the original text

For example, you send a message saying “transfer 1000 yuan” and add a summary of SHA-2. When the site receives the message, it also calculates the digest and compares the two “fingerprints”. If they are consistent, the message is complete and unaltered

A digital signature

A digital signature ensures that the message was actually signed and produced by the sender, because the sender’s signature cannot be counterfeited

The principle is actually very simple, private key encryption, public key decryption

Signatures are as public as public keys and can be accessed by anyone. But the signature can only be unsealed with the public key that corresponds to the private key, so when you get the digest and check the integrity of the original, you can prove that the message really came from you just like you signed a document

Like the message itself, since anyone can publish a public key, we also lack the means to prevent hackers from forging the public key. That is, how do you know if the public key is your public key

This is where a third party, a Certificate verification authority, is needed

CA verification mechanism

The DIGITAL Certificate Authority (CEA) stands as a third party that can be trusted by both the client and server

CA’s signature authentication requirements for the public key include serial number, purpose, issuer, valid time, etc. These are packed into a package and then signed to completely prove the various information associated with the public key, forming a “digital certificate”.

The process is as follows:

The server operator applies to the digital Certificate authority for a public key
After identifying the identity of the applicant, the digital certificate authority will digitally sign the public key that has been applied for
The signed public key is then assigned and bound together by putting the public key into the public key certificate
The server sends the digital certificate issued by the digital Certificate Authority to the client for asymmetric encryption communication

The client receiving the certificate can use the public key of the digital Certificate Authority to verify the digital signature on that certificate and, once authenticated, prove:

The public key of the authentication server is a real and valid digital certificate authority
The public key of the server is trustworthy

2.3 summarize

As you can see, although THERE is only one SSL difference between HTTPS and HTTP, the communication security is greatly guaranteed. The four major features of communication are solved. The solution is as follows:

Confidentiality: hybrid algorithms
Integrity: Summary algorithm
Identity authentication: Digital signature
Undeniable: digital signature

At the same time, a third-party certificate authority is introduced to ensure the security of the public key

Reference article:

Web Front end Interview – Interviewer series

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Have you really figured out HTTP? (a)

Related articles:

What is HTTP? What’s the difference between HTTP and HTTPS?

1.1 HTTP

1.2 the HTTPS

1.3 the difference between

Why is HTTPS safer than HTTP? How secure is HTTPS?

2.1 Security Features

2.2 how to do

Symmetric encryption

Asymmetric encryption

Mixed encryption

Here’s an example:

The algorithm

A digital signature

CA verification mechanism

2.3 summarize

Reference article:

Have you really figured out HTTP? (a)

Related articles:

What is HTTP? What’s the difference between HTTP and HTTPS?

1.1 HTTP

1.2 the HTTPS

1.3 the difference between

Why is HTTPS safer than HTTP? How secure is HTTPS?

2.1 Security Features

2.2 how to do

Symmetric encryption

Asymmetric encryption

Mixed encryption

Here’s an example:

The algorithm

A digital signature

CA verification mechanism

2.3 summarize

Reference article:

Related Posts

How effective Ctos can make technical interviews six times more efficient?

90% of the front end will not echarts advanced operations, don’t believe it?

Do you know the reason why the pictures on the website are not displayed