Programmer’s English turns out to be a bad book, but it does start with a few references, including one that ponders the dangers of self-signed certificates.
While we’re at it, let’s start with the simplest, HTTPS.
Why do we need HTTPS
In theory, HTTPS is encryption of communications, preventing eavesdropping, man-in-the-middle attacks and, most importantly for most users and websites, hijacking at all levels.
Google has a summary:
- Benign or malicious intruders can exploit every unprotected resource that passes between your site and your users.
- Many intruders will look at summary behavior to identify your users.
- HTTPS not only prevents your site from being abused, it is also an integral part of many advanced features that can be used as an implementation technology for similar applications, such as service worker threads.
How does HTTPS work
How does HTTPS work? (Please skip to the next QvQ if you are not curious.)
In other words, HTTPS = HTTP + SSL/ TLS adds a layer of SSL between the TCP and HTTP layers.
As shown in the figure, there is no three-way authentication process in HTTP website communication:
You have no way of knowing if the results you receive have been tampered with, and of course, there is no guarantee that the untouched data will be eavesdropped on.
We call the hacker in the picture “the man in the middle,” which is what causes the man-in-the-middle attack described above.
So later, people thought, as long as I have a key, do I have it?
There are two common encryption: symmetric encryption and asymmetric encryption, but in fact, we found that both with symmetric encryption and asymmetric encryption key, a leak or not (in asymmetric encryption, public key itself is open, as long as the intercept private key is returned, need to be part of the public key to decrypt, so the intercept data).
Then, we came up with an upgraded encryption method: symmetric and asymmetric combination.
Then it becomes the encryption shown in the figure above. I use asymmetric encryption to transmit the key and symmetric encryption to transmit the data, thus avoiding the two problems of the interception caused by the disclosure of the symmetric encryption key and the public key during transmission — but how do you prove that you are a good person?
So, finally found a credible tripartite organization: certificate issuing agency.
The browser will help you check whether the information in the website certificate is legitimate when the request is initiated, whether it is issued by the credit agency, if not, then an error will be reported, if it is legitimate, then decrypt the CA public key corresponding to the issuer, decrypt the signature of the server certificate.
Check whether the Hash algorithm is used to calculate the certificate and the certificate sent from the server. If yes, the certificate is not impersonated.
Then read the key in the certificate for subsequent encrypted communication.
Eventually, our entire process became tamper-free — though there might be a confusing question about how my operating system got so many CA public keys.
In fact, there are only a handful of top cas, and those other issuers are actually indirectly trusted, and just the other day, Let’s Encrypt put out a message saying that they’re going to be directly trusted by all the major programs in the future, whereas in the past, they’ve been indirectly trusted, It is because browsers and operating systems trust IdenTrust, and IdenTrust trusts them, that they are trusted:
Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one.
How to upgrade HTTPS for your website
Speaking of upgrades, Let’s Encrypt, of course, offers free and reliable SSL certificates, as well as free pan-domain certificates starting a while ago (meaning we only offered certificates for www.codesky.me, but now they offer *.codesky.me).
In fact, using Certbot can help you most easily deploy Let’s Encrypt certificates: certbot.eff.org/lets-encryp…
Of course, you can use your own certificate and private key to configure the certificate. Here we use Nginx as an example:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
Copy the codeThe configuration is complete in a few simple steps.
Can I use self-signed certificates?
Of course, you can generate a certificate yourself using OpenSSL, but this certificate is not trusted according to our procedures, so the following prompt will be given:
This is 12306 website for HTTPS processing, of course, he is very conscious, to provide everyone to download the root certificate:
Of course, you can trust him and get around this limitation, but in the meantime, you’re taking on all the problems HTTPS is trying to avoid. If there is a software or application that expects you to trust their credentials, there are also trade-offs:
As a trusted middleman, they are still a middleman, and if the middleman becomes less reliable, the transmission will become less reliable. On the other hand, even if they don’t want to do anything, a poor server management system can cause the key to leak, leaving your communication nowhere to hide.
Will HTTPS affect existing sites?
If HTTPS has an impact on websites, then many may start to consider not being available, although the answer is simple – the benefits outweigh the risks.
The drawbacks I’ve been looking at so far are the cost of enterprise certificates, the fact that HTTPS requires validation of certificates, which adds a step to SSL, which slows things down a bit, and the fact that HTTP -> HTTPS conversions can be time-consuming (if you access HTTPS directly, you don’t have to worry about this).
In addition, HTTPS might be in your SEO have unexpected effect, the Google and baidu has written said they would preferred to HTTPS site included: webmasters.googleblog.com/2014/08/htt…
But HTTPS is more reliable and reliable than any other problem, so why not use HTTPS?
Of course, in case your users are still using IE6
(Note: Internet Explorer 6 does not support HTTPS, but it does not support SNI, which means that only one IP can be used for one domain name and one certificate. Obviously this is not a reasonable design in modern website construction. See HTTPS and SNI for details.)
The resources
- Nginx-Configuring HTTPS servers
- Certbot
- Why is HTTPS important
- HTTPS principle in detail