This chapter describes the basic principles of HTTPS and how to use HTTPS to prevent problems such as camouflage, eavesdropping, and tampering during HTTP communication

First, HTTP disadvantages

The following three security problems occur during HTTP communication:

  • Communications use clear text (not encryption) and the content can be eavesdropped.
  • Do not verify the identity of the communicating party and may encounter camouflage.
  • Failed to verify packet integrity and may have been tampered with.

1.1 hacking

HTTP does not have the encryption function, so it is transmitted in plain text.

In the process of network transmission, the information we send has to pass through many network nodes and devices, which may intercept our information and eavesdrop. Some commonly used packet capture tools can be used to eavesdrop on unencrypted network transmission information.

Encryption prevents eavesdropping

(I) Encryption of communications: One of the things we do to prevent eavesdropping is we encrypt our communications. HTTP itself has no encryption mechanism. However, HTTP traffic can be encrypted by combining HTTP with Secure Socket Layer (SSL) or Transport Layer Security (TLS).

Once SSL is used to establish a secure communication line, HTTP communication can be carried out over this line. HTTP used in combination with SSL is called HTTPS (HTTP Secure).

(2) Content encryption: Another way is to encrypt the content itself involved in communication. In this case, the client must encrypt the HTTP packet before sending the request. Because this method is different from HTTPS, which encrypts the entire communication line, the content is still at risk of tampering.

1.2 camouflage

The HTTP protocol itself does not authenticate the other side of the communication, so anyone can make a request to the server.

There may be various security risks if the communication party is not verified:

  • The client cannot confirm whether its request is sent to the target server or whether the server that returns the response is the target server, possibly a disguised server.
  • The server cannot confirm whether the client making the request to it and the client returning the response to it are the clients in the target.
  • There is no way to verify that the communicator has access because some servers only want to give access to specific users.
  • Even meaningless requests are accepted, exposing the server to DDoS attacks.

Prevent pretence by checking the credentials of the other party

SSL not only provides encryption, but also uses a device called a certificate that can be used to confirm the identity of the other party.

A certificate is issued by a third-party organization to prove that the server and client actually exist.

Certificates are used to prove that the communicator is the intended server. For users, it also reduces the risk of personal information disclosure.

In addition, the client can complete the authentication of personal identity by holding the certificate, and can also be used for the authentication of the website.

1.3 to tamper with

HTTP protocol usually cannot confirm the integrity of information. Once the transmitted information is tampered with, the accuracy of the information will be lost, resulting in information errors. For example, if you want to download a resource from a certain website, your network transmission has been hijacked by someone else. When you initiate the download request, the resource you receive is being modified, so the resource you download is not the one you want.

Such an attack in which a request or response is intercepted and tampered with by an attacker in transit is called a man-in-the-middle attack (MITM).

How to Prevent tampering

As mentioned in the previous section, the content-MD5 header field can be used to verify that the Content of the entity is complete, but since the value of the Content-MD5 itself can be tampered with, this field is not reliable, so other methods are needed to ensure that the transmitted Content is not tampered with.

Other hashing algorithms are also unreliable to calculate the integrity of the transmission, so we eventually need HTTPS to solve this problem for us. SSL provides authentication, encryption, and digest functions.

Second, the HTTPS

HTTPS = HTTP + encryption + Authentication + digestCopy the code

2.1 HTTPS is HTTP wrapped in SSL

HTTPS is not a new protocol at the application layer. The HTTP communication interface is replaced by SSL and TLS protocols.

Typically, HTTP communicates directly with TCP. When SSL is used, it communicates first with SSL and then with SSL and TCP. So in a nutshell, HTTPS is HTTP in an SSL shell.

With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS.

SSL is independent of HTTP, so other protocols can also use SSL. SSL is the most widely used network security technology in the world

2.2 Public Key Encryption technology for exchanging keys

Before we talk about SSL, let’s take a look at encryption methods. SSL uses a technique called public-key Cryptography.

In modern encryption methods, the encryption algorithm is open, but the key is secret. Encryption and decryption use keys. You cannot decrypt a key without it. On the other hand, anyone with a key can decrypt the message. If the key is obtained by an attacker, the encryption is meaningless.

2.2.1 Shared Key Encryption Dilemma

Encryption and decryption using the same key is called Common key crypto system, also known as symmetric key encryption.

When shared key encryption is used, the key needs to be sent to the communication party together. Therefore, the security of key transmission needs to be considered and the key needs to be kept securely. This is the trouble caused by shared key encryption.

2.2.2 Public Key Encryption Using Two-Key Encryption

Public key encryption solves the problem of shared key encryption.

Public-key encryption uses a pair of asymmetric keys. One is called a private key and the other is called a public key. As the name implies, a private key cannot be known by anyone else, whereas a public key can be freely disseminated and available to anyone.

In public-key encryption (asymmetric encryption), the sender uses the public key to encrypt the ciphertext, and the receiver uses its own private key to decrypt the encrypted message. In this way, there is no need to send the key, and there is no need to worry about the key being taken away by an attacker.

2.2.3 HTTPS uses a hybrid encryption mechanism

HTTPS Indicates that the shared key encryption mode and public key encryption mode are used together.

If the key can be securely transmitted, HTTPS considers the shared key encryption mode; otherwise, public key encryption mode is used. This is because public-key encryption is slower than shard-key encryption. HTTPS takes full advantage of both and combines multiple methods for communication. After exchanging keys using public key encryption, information is transmitted using shared key encryption.

2.3 Certificate proving the correctness of the public Key

Unfortunately, public-key encryption is also flawed. It is impossible to prove that the public key itself is genuine.

To solve the above problems, public key certificates issued by a DIGITAL Certificate Authority (CA) and its affiliates can be used.

VeriSign is one of the most well known digital certification bodies in the position of being trusted third parties by both clients and servers.

The following describes the business process of a digital certificate authority:

First of all, the server operator will apply for the public key to the digital organization. After authenticating the identity information of the applicant, THE CA will digitally sign the applied public key, allocate the signed public key, and bind the public key into the public key certificate.

The server sends the public key certificate issued by the CA to the client for communication through public key encryption. The public key certificate can also be called a digital certificate or a certificate.

The client receiving the certificate can use the CA’s public key to authenticate the digital signature of the certificate. Once authenticated, the client can confirm two things:

  • The authority that authenticates the server public key is a real and valid CA authority
  • The public key of the server is trusted

This then serves the purpose of confirming the true validity of the public key.

It is difficult to securely transfer the CA authority’s key to the client, so most browsers embed the public key of the common authentication authority internally.

2.3.1 EV SSL certificate that can prove the authenticity of the organization

One function of the certificate is to prove whether the server as the communication party complies with the specification, and another function is to confirm whether the server operator enterprise really exists. The formal proof of enterprise authenticity is the Extended Validation SSL Certificate.

The purpose of this certificate is to prevent Phishing attacks.

2.3.2 Client certificate used to confirm the client

In HTTPS, the client certificate can also be used to authenticate the client.

Session management and Cookie application

There is not much to cover in Chapter 8, so I have moved the most important point to this note.

As for the authentication of user identity, form authentication is mostly used now, and cookies are generally used to manage sessions.

The general process is as follows:

The specific steps are as follows:

  • The client adds the login information such as the user ID and password to the physical part of the packet and sends the packet to the server through POST.
  • The server generates and issues a Session ID to identify the client. This Session ID is also saved on the server and bound to the client through the set-cookie field. It can be used in passinghttponlyProperty to prohibit JavaScript from modifying cookies to prevent cross-site scripting attacks.
  • The client saves the Session ID in a local Cookie for the next access. The server identifies the user by verifying the received Session ID, and a series of information related to the user can be obtained from the database.