1. Compare the HTTP

HTTP has the following security issues:

  • Plaintext communication, the content may be eavesdropped;
  • If the identity of the communicating party is not verified, the identity of the communicating party may be disguised;
  • The integrity of the packet cannot be proved and the packet may be tampered with

HTTPS is not a new protocol. HTTP communicates with Secure Socket Layer (SSL), and then SSL communicates with TCP. That is, HTTPS uses tunnels for communication

Using SSL,HTTPS has encryption (anti-eavesdropping), authentication (anti-counterfeiting), and integrity protection (anti-tampering)

2. The encryption

2.1 Symmetric Key Encryption

Symmetric-key Encryption: The same Key is used for Encryption and decryption

  • Advantages: fast operation speed;
  • Confirm: The key cannot be securely transmitted to the communicator

2.2 Asymmetric Key Encryption

Asymmetric key Encryption, also known as public-key Encryption, uses different keys for Encryption and decryption

The public key is available to all. After obtaining the public key of the receiver, the sender can use the public key for encryption, and the receiver can use the private key for decryption after receiving the communication content

In addition to encryption, asymmetric keys can also be used for signing. Because the private key cannot be obtained by others, the communication sender uses its private key to sign, and the communication receiver uses the public key of the communication sender to decrypt the signature to determine whether the signature is correct

  • Advantages: The public key can be transmitted to the communication sender more securely.
  • Disadvantages: Slow operation speed

2.3 HTTPS Encryption Mode

As mentioned above, symmetric Key encryption has higher transmission efficiency, but the Secret Key cannot be securely transmitted to the communicator. Asymmetric Key encryption can ensure the security of transmission, so we can use asymmetric Key encryption to transmit the Secret Key to the communicator. HTTPS uses a hybrid encryption mechanism that takes advantage of the scheme mentioned above:

  • In asymmetric Key encryption mode, the Secret Key required by symmetric Key encryption is transmitted to ensure security

  • After obtaining the Secret Key, use symmetric Key encryption for communication to ensure efficiency (the Session Key in the figure below is the Secret Key)

3. The certification

The communicator is authenticated by using a certificate

A digital Certificate Authority (CA) is a third-party organization trusted by both the client and the server

The operating member of the server applies for the public key to the CA. After identifying the identity of the applicant, the CA digitally signs the applied public key, assigns the signed public key, and binds the public key into the public key certificate

During HTTPS communication, the server sends the certificate to the client. After obtaining the public key, the client uses the digital signature for verification. If the verification succeeds, the client can start communication

4. Integrity protection

SSL provides packet summarization to protect packet integrity

HTTP also provides MD5 packet summarization, but it is not secure. For example, if the MD5 value is recalculated after the packet content is tampered, the receiver cannot be aware of the tampering

The packet summarization function of HTTPS is secure because it combines encryption and authentication. Imagine an encrypted message that has been tampered with, and it is difficult to calculate the message digest because the plaintext is not readily available

5. The shortcoming of the HTTPS

  • Due to the need for encryption and decryption process, so the speed will be slow;
  • A high fee for certificate authorization is required