1. Annual Meeting

The Chinese New Year is coming soon, and the company’s business needs are also much less. Therefore, Wang Xiaoer and his staff held a technical meeting to check what they can do before the New Year.

See C elder brother wrote a list, one of them is the whole station upgrade HTTPS.

C said: HTTPS is a trend, but currently our interface is HTTP. The appstore has always required HTTPS, and from a security and appstore review perspective, we had to upgrade to HTTPS across the site years ago. Does anyone volunteer?

Small two thought once: I will do C elder brother, just understand next HTTPS.

Brother C: Ok, mistress, then you can study HTTPS next, and then share with us when you have time.

Small two: good C elder brother, guarantee to finish!

2. Zhang SAN Fat

Heard that small two want to do HTTPS, operation and maintenance zhang SAN Fat went to small two side.

Zhang SAN fat: small 2, hear you want to do HTTPS?

Small two: yes, three fat brother, we have to upgrade the whole station HTTPS. Have you seen this before?

Zhang SAN fat: ha ha, I really know, upgrade HTTPS is a good idea.

Small two: three fat brother, that’s too good, you have time to tell me? I wouldn’t have to spend time researching.

Zhang SAN fat: good, I now have time, tell you about, also at the right moment review.

Small two: thank you three fat elder brother, this noon you have a meal.

3. Symmetric encryption is not enough

Three fat: small two, suppose you use HTTP protocol to send your girlfriend a private message. Is there a risk of leaks?

Small two: of course, HTTP protocol is plaintext transmission, transmission of data in the process of any third party can intercept and tamper with the plaintext.

Three fat small smile: yes, we draw a picture to express below, you know information is tampered with much embarrassment, ha ha.

Small two: Huh? It is. That would be so awkward. My girlfriend won’t beat me to death…

Fat three: actually use HTTPS can avoid.

Three fat: small 2, do you understand symmetric encrypt and unsymmetrical encrypt?

Xiao 2: Know something about it. Symmetric encryption is the encryption and decryption of the same secret key. Asymmetric encryption is the content encrypted with the public key, which can only be decrypted with the private key, and the content encrypted with the private key can only be decrypted with the public key.

In fact, HTTPS is the use of symmetric encryption and asymmetric encryption. But you have to be aware that symmetric encryption is about 100 times faster than asymmetric encryption.

Small two: three fat brother I understand, then you use the example just now to tell me the principle of HTTPS.

Three fat: good, use just of example. Symmetric encryption is fast, so your data transfer with your girlfriend should be symmetric.

Small two: ok, that I agree with my girl friend first good secret key bai?

Fat Three: Yes, let’s draw a picture of your data transfer.

Small two: yeah, fat brother, so others can’t intercept my message.

Three fat: Right. And because symmetric encryption and decryption are fast, the impact on your data transmission speed is minimal. But how do you communicate with your girlfriend and negotiate a secret key?

Small two: this is not simple, I tell him directly on the net can ah.

Three fat: ha ha, can’t. What if someone intercepts your secret key in plain text over the network?

Small two: Huh? It is. Someone intercepted the key and then manipulated my information.

This is where we need to use our asymmetric encryption to negotiate your symmetric encryption keys.

4, asymmetric encryption solution

Three fat: Mei generates her own public key and private key, before communication, she tells you her public key, this public key is public, so it can be freely transmitted in the network.

Small two: so ah, I understand brother C. After I get Mei’s public key, I use Mei’s public key to asymmetric encrypt the symmetric encrypted password and send it to Mei. Amy decrypts it using his private key, and then gets the symmetric encryption I generated. Isn’t it?

Three fat: rightness, be such. But there’s still a headache. How do you make sure you get mei’s public key? What if the middleman intercepted it for you?

Xiao 2: HMM… That’s a real problem. The middleman sends me his public key, so I can use the middleman’s public key to encrypt our symmetrically encrypted password, and the middleman can use his private key to decrypt our symmetrically encrypted password. At this time, the middleman had intercepted Mei’s public key, and then sent our symmetric encrypted password to Mei through her public key encryption. It’s horrible. Our symmetrically encrypted secret key has been stolen.

In fact, Charles can capture HTTPS packets by using the principle you mentioned. We will talk more about it later. Now the question becomes, how do you make sure that the public key you get is Mei.

Xiao 2: Oh, it’s really a headache…

Three fat: you know we usually have notary office? This notary office is a credible structure, by his notarization of things, are credible strength.

Small two: know, a few days ago I saw the news that an old woman gave him a property in the imperial capital through the notary office to a guy without blood relationship.

Three fat: that you think, if the public key of small beauty passes notarization, can prove this public key is small beauty?

Xiao2: Of course. Is there such a notary office in the network?

Three fat: still really exist such notary office, we call the notary office in the network CA. Have to admire the predecessors, they put some trusted CA certificates are pre-stored in our computers, certificates include CA information and CA public key. These certificates are installed as soon as the system is installed on your computer. Here, take a look at the default certificate installed on my computer.

Xiao 2: Oh, I see, it means that these default CA certificates are absolutely trusted.

Three fat: rightness, be this meaning. Therefore, as long as CA also issues a certificate to Mei to prove that it is Mei. The certificate issued by CA contains mei’s personal information and mei’s public key. At the same time, CA will also issue mei a private key.

If you think of Xiaomei as Baidu, let’s first look at the certificate issued by CA to Baidu.

Xiao 2: That is to say, as long as the CA certificate issued to Mei can be safely transmitted to me.

Three fat: rightness, now the problem is converted into. How can mei’s certificate be safely transmitted to you? In fact, CA issued a certificate to Mei, including mei’s information + public key], and digital signature. The content of a digital signature is the hash value of information about the user + public key encrypted with the CA private key.

Xiao 2: Oh, I seem to understand. The CA certificate contains the CA public key and some CA information, and the CA certificate is stored in my computer by default, then I can use the CA public key for decryption operation, so as to verify whether the certificate is correct.

Three fat: Right. We can use the CA’s public key on your computer to decrypt the digital signature in the MAC certificate and get the hash value for the signature. Then, you hash [Mei’s information + public key] using the same hash algorithm. If the hash value of the signature in the certificate is the same as the hash value calculated by yourself, the certificate is indeed beautiful. Otherwise, it is not a beautiful certificate.

Small two: three fat brother, I understand. HTTPS is a hassle, but it does protect our privacy.

Three fat: rightness, lose must have get!

Xiao2: Uh-huh. Now I have safely obtained the public key of Mei through her certificate. Then I randomly generate a symmetric encrypted secret key here, and the symmetric encrypted secret key is encrypted by Mei’s public key, and then it can be safely transmitted to Mei.

Sam: yes, Mei decrypted it with his private key and got the symmetric encryption password you agreed on. In the future, you will be able to use symmetric encryption to transmit data and make eye contact

Small two: three fat brother is really too fierce, from now on no longer need to worry about chatting with my girlfriend be spoof.

Three fat: ha ha. You think of yourself as the browser and Amy as the server. This is the whole HTTPS transfer process.

Small two: understand, I draw HTTPS between browser and server running flow, three fat brother you see right.

Three fat: quite good quite good, small 2 very fierce, basic be this flow.

Small two: have no have no, return thanks for 3 fat elder brother’s instruction, ha ha.

5. Charles captures HTTPS packets

Xiao 2: I really don’t know that. Supposedly HTTPS is an absolutely secure protocol, so Charles can’t grab the content.

Do you remember that when using Charles to capture HTTPS packets, you need to install Charles certificate on your phone and trust it?

Small two: rightness rightness, be to have this one step operation.

Triple fat: This is the step that causes Charles to grab your HTTPS packet. Let me draw you a flow chart so you can see what’s going on.

Xiao2: So that’s the case. This is the problem I just said. So HTTPS is not a secure protocol?

Fat three: No. Because you installed and trusted Charles certificate, it was your own initiative operation, can also be said to be the result of your own initiative leak. If you do not trust the Charles certificate, the data will not be transferred and the connection will be interrupted. So HTTPS is still a secure protocol.

Small two: I see, it is true, thank you three fat brother.

Happy Done

Now that you know how HTTPS works, the rest will take care of itself.

Xiao Er listed the next things to do: 1, to CA(notary office) to apply for their website certificate; 2. Change the HTTP link of static resource in code to HTTPS link; 3. Change the HTTP link in Ajax to HTTPS link; 4. Deploy certificates on nginx; 5. Complete the self-test.

According to this list, small second step successfully completed.

Finally, HTTPS online is complete, happy to enjoy the afternoon sun, happy done~