Http plaintext communication is not secure
Http protocol is plaintext communication, data on the communication link may be hijacked or tampered with
Since there is a risk that the data will be exposed, the first solution that comes to mind may be to encrypt the data
Symmetric encryption
We use symmetric encryption to encrypt the login information and at this point, if the hijacker is hijacked, he doesn’t have a symmetric key, so he can’t decrypt or tamper with your information. But since the symmetric key is also published in clear text, if this key is also hijacked by a hijacker, the hijacker can still steal and tamper with the data you transmit
Symmetric encryption has the advantage of fast encryption and decryption
Asymmetric encryption
Considering the risk of exposure when using a single key to encrypt and decrypt symmetric encryption, we divide the key into two parts: the private key stored on the server is called the private key, and the public key sent to the client is called the public key.
The private key is secure only on the server, and the public key is exposed to all clients or hijackers
We use the public key for encryption and the private key for decryption. At this time, because the hijacker does not have the private key, he cannot modify the data sent by the client, nor can he decrypt the data
This ensures that the client sends data to the server securely, but what if the server sends data back to the client? The client side does not have the private key to decrypt, according to the symmetric encryption in the explanation we know that the secret key on the client side is not secure, so this way is not feasible
Asymmetric encryption is more secure, but its encryption and decryption complexity is relatively high than symmetric encryption is much slower
Mixed encryption
Symmetric encryption encryption and decryption efficiency is high, asymmetric encryption security is strong, we integrate the two encryption method is called hybrid encryption
Such a complex asymmetric encryption will only be parsed once at the beginning, followed by efficient symmetric encryption. However, there is another problem is that the public key issued by the server can be obtained by anyone in plaintext, such as this
At this point we see that security can be solved simply by ensuring that the public key received by the client is actually sent from the server, which leads us to HTTPS, which can be seen as a hybrid encryption but it keeps the public key secure
HTTPS
HTTPS is an encrypted HTTP protocol. Based on THE HTTP transport protocol TCP, it adds an SSL layer, also called TLS layer, to construct an encrypted transport channel
There are two HTTPS authentication modes: one-way authentication and two-way authentication. Let’s talk about one-way authentication. Two-way authentication is the reverse authentication
Operating systems and browsers have built-in certificates and public key information issued by certain authorities
If the certificate returned by the server is tampered with
The CA certificate and public key are built-in on the client. The public key decrypts data using the hash algorithm of the certificate. The obtained data is inconsistent with the hash value of the certificate obtained from the server, that is, the certificate is tampered
Do not install the root certificate
The certificate issued by the server is used to prove its identity. For example, our request is intercepted by the middleman and the information returned by the middleman is sent to the client. The client cannot find the information in the built-in CA, so its identity identification is wrong. Then it can identify and manipulate the messages we send.
For example, we know that Charles can capture HTTPS data by installing its root certificate