HTTPS: HTTP encrypts HTTP traffic using a combination of SSL (Secure Sockets Layer) and TLS (Secure Transport Layer protocol).
The HTTP used in combination with SSL is called HTTPS
SSL provides encryption, again using a device called a certificate, in which the user identifies the communication party.
Certificates are issued by trusted third parties to prove that the server and client actually exist. Therefore, the true intention of the communicator can be determined by confirming the certificate held by the communicator.
HTTP cannot verify the integrity of communication packets, and the content of requests and responses is not known to be tampered with. Such interception of tampering in transit of a request or response is called a man-in-the-middle attack. It is difficult to verify the integrity and correctness of files only by existing HTTP mechanisms.
We call HTTP with encryption and authentication added HTTPS.
It used to be HTTP communicating directly with TCP, now it's HTTP communicating with SSL, SSL communicating with TCP.
Other application-layer protocols can also be used in conjunction with SSL, the most widely used network security technology.
Encryption and decryption with the same key is called symmetric key encryption | shared key encryption. This requires an exchange of keys in which, if intercepted, the encrypted message can be decrypted by the interceptor.
The public key encryption invented later solved the problem of symmetric key encryption. The public key encryption has two keys, one is public key and the other is private key. The private key cannot be known to others, and the public key is freely distributed.
The public-key encryption method uses the public key of the other party to encrypt the data and decrypts the data with its own private key. In this method, there is no need to send the decrypted private key or worry about the private key being intercepted.
HTTPS uses a hybrid encryption mechanism. Public key encryption is used when exchanging keys, and symmetric key encryption is used for communication after establishing secure connections. Public key encryption is very complicated, so it is very slow to use public key encryption in communication.
In the process of public key encryption, how to know that the obtained public key is correct is another problem. So we have the CA certificate in the back. We can use public key certificates issued by a digital Certificate Authority (CA) and other relevant authorities.
- First, the backstage operator applies for the public key to the digital organization
- After the digital agency verifies the identity of the application, the public key is digitally signed
- Assign the signed public key, put it into the public key certificate, and bind it together
- The server sends the public key certificate issued by the DIGITAL Certificate Authority to the client for communication in public-key encryption mode.
- The client receiving the certificate uses the public key of the DIGITAL certificate Authority to verify the digital signature on the certificate. If the verification succeeds, the certificate can be used.
Because the public key of the authentication authority is encrypted securely to the client, most browser developers release versions with the public key of the common authentication authority embedded for security purposes.
The EV SSL certificate can be used to confirm whether the enterprise operated by the other party really exists.
HTTPS can also use client certificates, which the server uses to verify that the client is the one it wants to communicate with. However, client certificates cost money and have to be installed by the server itself, which is very expensive, so only use this for services that can support payment. Early online banking, for example, used client-side certificates.
- HTTPS communication steps: