PS: The original article was published on wechat public account: Jzman-blog

Recently, some people in the communication group asked about the knowledge related to HTTPS. Although they can use it, they have only a little knowledge about it. Today, I will summarize some knowledge related to HTTPS.

  1. The disadvantage of HTTP
  2. What is the HTTPS
  3. Public key encryption technology
  4. HTTPS Encrypted Transmission
  5. Public key Certificate
  6. The SSL and TLS
  7. Why not use HTTPS

The disadvantage of HTTP

The disadvantages of HTTP are as follows:

  1. The communication is in plain text and the transmission may be intercepted
  2. If the identity of the communicating party is not verified, the request is easily disguised
  3. The integrity of packets cannot be guaranteed and may be tampered with

What is the HTTPS

In simple terms, HTTP Secure (HTTPS) is HTTP that adds encryption and authentication mechanisms on top of HTTP.

HTTPS is not a new protocol compared with HTTP. It uses the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols to implement the HTTP communication interface. Make HTTP communicate with SSL first, then SSL and TCP communicate, instead of HTTP directly communicate with TCP, HTTP and HTTPS are shown as follows:

HTTP and HTTPS

Public key encryption technology

Symmetric key encryption and asymmetric key encryption In the encryption algorithm, the encryption algorithm is public, while the key is secret, encryption and decryption need a key, no key can be decrypted, on the contrary, if the key is intercepted, the encrypted content may be cracked.

  • Symmetric key encryption

This encryption method is also called Common key crypto system. In this method, the same key is used for encryption and decryption. In communication, the transmission key is sent to the other party for decryption, and the key may also be intercepted during transmission. Therefore, the premise of the secure communication in this encryption mode is how to securely transmit the key, as shown below:

Symmetric key encryption
  • Asymmetric key encryption

This method, also known as public key encryption, uses a pair of asymmetric keys, one is called a public key, and the other is called a private key. The public key can be sent at will, but the private key must be kept secret.

The sender uses the public key of the sender to encrypt the information. After receiving the information, the sender uses its own private key to decrypt the information. In this way, it does not need to transmit the private key used for decryption, and there is no need to worry about the interception of the private key.

Asymmetric key encryption

HTTPS Encrypted Transmission

Because the original HTTP directly communicates with TCP, and because of the working mechanism of TCP/IP protocol family, the communication content on the transmission link may be eavesdropped. As the name implies, the Internet is composed of networks that can be connected to the whole world, and the communication equipment on the communication line is not all private, which makes the communication insecure. This is where HTTPS was born, so how is HTTPS encrypted?

Https uses the mixed encryption mechanism. If the key exchange is secure, only symmetric key encryption may be used for communication. If the key exchange is not secure, use asymmetric encryption during key exchange and then symmetric encryption. The goal is that symmetric key encryption is faster than asymmetric key encryption.

But does it make it safe? It makes it safe from eavesdropping? In fact, even if the communication is encrypted, the communication content can still be eavesdropped by technical means, but after the communication is encrypted, it is not easy to understand the specific message information, which is equivalent to the purpose of encryption.

How to ensure the correctness of the public key that needs to be transmitted during HTTPS encryption transmission? Of course, it is the public key certificate issued by the digital authentication authority.

Public key Certificate

The public key Certificate issued by the Certificate Authority (CA) and its related authorities should be mentioned here. The CA is a third-party organization that can be trusted by both the client and the server. Its specific business process is as follows:

  1. The server operator applies for the public key to the digital certificate certification authority;
  2. After identifying the identity, the dCA digitally signs the public key that has been applied for, puts the public key in the public key certificate and binds the public key together. The server sends the public key certificate issued by the DCA to the client.
  3. After the client obtains the public key issued by the digital authentication authority, it verifies the digital signature of the public key. Firstly, it verifies that the public key is issued by the real digital authentication authority and secondly, it verifies that the public key is trustworthy.
  4. After the information is confirmed, the public key is used to encrypt the message.
  5. The server uses the private key to decrypt packets.

The specific business process is shown in the figure below:

Public key process

In the third step, to ensure that the public key of the digital certification authority is securely transmitted to the client, most browser developers release their browser versions with the public key of the common certification authority built into the browser.

The SSL and TLS

HTTPS uses Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. SSL technology was first pioneered by browser developer Netscape Communications, which developed versions prior to SSL3.0. At present, the leading power has been transferred to the Internet Engineering Task Force (IETF).

IETF took SSL3.0 as the benchmark, and then formulated TLS1.0, TLS1.1 and TLS1.2. TSL is a protocol based on SSL, which is sometimes referred to as SSL. The current mainstream versions are SSL3.0 and TLS1.0.

TLS is based on SSL. The specific difference between the two is left to the professionals. Here is some background on SSL and TLS.

Why not use HTTPS

HTTPS is secure and reliable due to the use of SSL(including TLS), but SSL slows down the entire communication due to encryption. Frequent encryption and decryption consume hardware resources on both the server and client.

SSL not only causes slow communication, but also slows down the entire processing speed due to the large consumption of CPU and memory resources. Compared to HTTP, the network load may be 2 to 100 times slower, as shown in the figure below:

Why not use HTTPS

If HTTPS is used, that means additional hardware costs, as well as the cost of buying certificates from digital certification authorities.

That’s why most web sites use HTTP, even though HTTPS is secure and reliable.