First, the disadvantages of HTTP

  1. The transmission is civilized. The content could be eavesdropped.
  2. The identity of the communicating party is not verified, so it is possible to encounter camouflage
  3. The integrity of the plaintext cannot be proved, so it may be tampered with.
All of the above are problems with protocols without encryption.
To solve these problems, HTTPS was born!

How to solve the HTTP security problem?

HTTP itself has no encryption mechanism, but we can use SSL. Establish secure communication lines. HTTP packets can be securely transmitted over this line. The improved protocol is called HTTP Secure (HTTPS), which means HTTP + SSL = HTTPS or HTTP over SSL

The SLL not only provides encryption, but also uses the means of digital certificates, which can be used to determine the communication party. The certificate is issued by a trusted third party and is encrypted with the private key of the third party and is difficult to forge. You can use certificates to verify the existence of the server and client.

HTTPSIs notThe New Deal, just introduced the security layer SSL, evolved intoHTTPThe first andSLLCommunication, and then bySSLandTCPCommunication. HTTPS is HTTP wrapped in a shell of the SSL protocol.

Figure 1 HTTP vs HTTPS

Three, encryption methods are generally symmetric encryption and asymmetric encryption

Symmetric encryption: If symmetric encryption is used

  1. Generally, the client initiates a request and sends the clientRandom + encryption suite list to the server
  2. The server receives the request and sends serverRandom + selected suite encryption to the client
  3. The client clientRandom + serverRandom synthesizes an encryption key, uses the key to encrypt the HTTP content, and transmits it
  4. Because the server knows the encryption mode and random number, it can also synthesize a key to decrypt the encrypted ciphertext

But this type of encryption, it doesn’t work. Thieves also know encryption methods and random numbers, and can also attack, eavesdrop, tamper with.

FIG. 1 Symmetric encryption

Asymmetric encryption: If symmetric encryption is used

  1. Generally, the client initiates a request and sends the encryption suite list to the server
  2. The server receives the request and sends the selected suite encryption + public key to the client
  3. The client encrypts the data with the public key and transmits it
  4. The server decrypts with a private key

This kind of encryption is also not very feasible. 1. Asymmetric encryption is inefficient and takes a long time, which affects user experience. 2. Data sent from the server to the client cannot be secure because the server uses a private key to encrypt data, and hackers can intercept the public key and eavesdrop on the data.

FIG. 3 Asymmetric encryption.
So what to do??

Combination of bai! Symmetric encryption is still used in the data transmission stage, but the symmetric encryption key is transmitted by asymmetric encryption process

The ultimate combination!

  1. Generally, the client initiates a request and sends the list of symmetric encryption suites + the list of encryption suites +clientRandom to the server
  2. The server receives the request and sends an asymmetric encryption suite + encryption suite +serverRandom+ digital certificate to the client, which contains the public key
  3. The client uses clientRandom+serverRandom+ encryption to generate the pre-master random number. The client encrypts the pre-master random number with the public key and transmits the pre-master random number
  4. ClientRandom +serverRandom+ pre-Master Synthesizes the symmetric encryption key Master Secret, which is used to encrypt data symmetrically and transmit data.

In this way, the transmitted data is safe! The hacker cannot decrypt the pre-master with the intercepted public key, thus ensuring the security of the pre-master and ensuring the security of symmetric encryption.

Figure 4. Final mixed encryption flow

Recommended course geek Time “Browser Working Principles and Practices”