HTTPS to ensure Web security

The disadvantage of HTTP

HTTP has these major shortcomings

  • Communications use clear text (not encryption) and the content can be eavesdropped
  • The identity of the communicating party is not verified and therefore may encounter camouflage
  • The integrity of the message could not be proved, so it may have been tampered with

In addition, HTTP itself has many drawbacks. There are also practical limitations (also known as vulnerabilities or security holes) with specific Web servers and specific Web browsers, as well as security holes for Web applications developed in programming languages such as Java and PHP.

Communications using plaintext may be eavesdropped

  • TCP/IP is a network that can be eavesdropped on

  • Encryption prevents eavesdropping

Encryption of communication

One way is to encrypt communications. HTTP has no encryption mechanism, but it can be used in combination with Secure Socket Layer (SSL) or Transport Layer Security (TLS) to encrypt HTTP communication.

After establishing a secure communication line with SSL, HTTP communication can be carried out over this line. The HTTP used in combination with SSL is called HTTPS

Encryption of content

Failure to verify the identity of the communicating party may result in a masquerade

  • Anyone can initiate a request

In HTTP communication, anyone can initiate a request because there is no step to confirm the communicator. In addition, the server will return a response whenever it receives a request, regardless of who it is (but only if the IP address and port number of the sender are not restricted by the Web server).

  • Find out your opponent’s credentials

Although the communication party cannot be determined using the HTTP protocol, it can be determined using SSL. SSL not only provides encryption, but also uses something called a certificate,

Can be used to determine the party. The certificate is issued by a trusted third-party organization to prove that the server and client actually exist. In addition, forging certificates is technically extremely difficult. Therefore, as long as the certificate held by the communicator (server or client) can be confirmed, the true intention of the communicator can be determined.

Message integrity could not be proved and may have been tampered with

To effectively prevent these disadvantages, it is necessary to use HTTPS. SSL provides authentication, encryption, and summary functions. It is very difficult to ensure integrity with HTTP alone, so use it in combination with other protocols to achieve this goal

HTTP+ Encryption + Authentication + Integrity Protection =HTTPS

HTTPS is HTTP in an SSL shell

HTTPS is not a new protocol at the application layer. The HTTP communication interface is replaced by the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols.

Typically, HTTP communicates directly with TCP. When SSL is used, it evolves to communicate with SSL first and then with SSL and TCP. In short, HTTPS is HTTP wrapped in a shell of SSL.

Public-key encryption in which keys are exchanged

SSL uses a type of encryption called public-key cryptography. In modern encryption methods, the encryption algorithm is open, but the key is secret. In this way the encryption method can be kept secure.

Encryption and decryption use keys. A password cannot be decrypted without a key; conversely, anyone with a key can decrypt it. If the key is obtained by an attacker, the encryption is meaningless.

  • The dilemma of shared key encryption

  • Public key encryption using both keys

Public-key encryption uses a pair of asymmetric keys. One is called a private key and the other is called a public key. As the name implies, a private key cannot be known to anyone else, whereas a public key can be freely distributed and available to anyone

  • HTTPS uses a hybrid encryption mechanism

HTTPS uses a mixture of shared key encryption and public key encryption. If the key can be exchanged securely, it is possible to consider using public-key encryption only for communication. However, public key encryption is slower than shared key encryption. Therefore, we should make full use of their respective advantages and combine a variety of methods for communication. The public key encryption method is used in the key exchange link, and the shared key encryption method is used in the subsequent communication exchange message establishment stage.

Proving the correctness of the public key

  • EV SSL to prove the authenticity of the organization
  • The client certificate used to authenticate the client
  • Reputation of certification body
  • A certificate issued by a self-certification body is called a self-signature

Secure communication mechanism of HTTPS

Step 2: When SSL communication is enabled, the Server responds with Server Hello packets. As with the client, the message contains the SSL version as well as the encryption component. The server’s encryption component content is filtered from the received client encryption component.

Step 3: Then the server sends a Certificate packet. The packet contains a public key certificate

Step 4: The Server sends a Server Hello Done packet to notify the client that the INITIAL SSL handshake negotiation is complete.

Step 5: After the first SSL handshake, the Client responds with a Client Key Exchange packet. The packet contains a random password string called pre-master secret, which is used in communication encryption. The packet is encrypted with the public key in Step 3.

Step 6: The client sends a Change Cipher Spec packet. The packet prompts the server to use the pre-master secret key to encrypt subsequent communications.

Step 7: The client sends a Finished packet. The packet contains the overall checksum of all packets so far connected. Whether the handshake negotiation can succeed depends on whether the server can decrypt the packet correctly.

Step 8: The server also sends a Change Cipher Spec packet

Step 9: The server also sends a Finished packet.

Step 10: After exchanging Finished packets between the server and client, the SSL connection is established. Of course, the communication is protected by SSL. This is where application layer protocol communication starts, that is, sending HTTP requests.

Step 11: Application layer protocol communication, that is, sending HTTP responses.

Step 12: Finally disconnect from the client. When the connection is disconnected, the close_notify packet is sent. After this step, a TCP FIN packet is sent to close the communication with TCP.

In the preceding process, the application layer attaches a Message Authentication Code (MAC) digest to the data it sends. The MAC checks whether packets are tampered to protect packet integrity.

There are two types of SSL slowness. One is slow communication. On the other hand, the processing speed slows down due to the large consumption of CPU and memory resources.

Compared to using HTTP, network load can be 2 to 100 times slower. In addition to TCP connections and sending HTTP requests and responses, SSL communication is also required, so overall processing traffic inevitably increases.

The other point is that SSL must be encrypted. Encryption and decryption are required on both the server and client. As a result, more hardware resources are consumed by the server and client than HTTP, resulting in increased load.