Interview surprise: Why use HTTPS? What is it useful for?

Speaking of HTTPS, I believe most people are familiar with it, because most of the websites we use are based on HTTPS, such as the following:

So the question is, why do they use HTTPS? What are the advantages of HTTPS?

1. HTTP

Before talking about HTTPS, we must first understand HTTP, because HTTP is the basis of HTTPS communication. HTTP (HyperText Transport Protocol) is a hypertext transfer protocol used to transmit data between the client and the server. HTTP is very simple and convenient to use, but it has the following three fatal problems:

Using plain text communication, the content can be eavesdropped.

Failure to verify the true identity of the communicating party may result in impersonation.

The integrity of the message cannot be proven and it can be easily tampered with.

In view of the above problems, the current system will use HTTPS instead of HTTP.

2.HTTPS

First of all, HTTPS is not a new protocol, but an encryption mechanism SSL (Secure Socket Layer) or TLS (Transport Layer Security) added to the HTTP protocol. HTTPS = HTTP + encryption + authentication + integrity protection.

SSL and TLS

SSL (Secure Socket Layer) was first developed by browser developer Netscape, which developed SSL 3.0 and versions before 3.0, and then handed SSL over to the Internet Engineering Task Force (IETF). IETF developed TLS 1.0 based on SSL 3.0, so TLS can be considered the "new version" of SSL.

2.1 Solving the trust problem

As for HTTPS, the first thing to solve is the trust problem, that is, the identity verification problem. If the trust problem is not solved, there will be server impersonation, that is, the "man-in-the-middle attack" problem. The so-called man-in-the-middle attack means that under normal circumstances, the client and the server should interact directly, but here a "bad guy" (man-in-the-middle) rushes out, which is included in the client and the server, and is used to steal and tamper with the content of the communication between the two parties, as shown in the following figure:

HTTPS solves the trust problem by using a digital certificate solution, that is, when the server is first created, it will first apply for a reliable digital certificate from a third-party platform that everyone recognizes. Then, when the client accesses (server), the server will first give the client a digital certificate to prove that it is a reliable server, not a "middleman". At this time, the browser will be responsible for verifying and checking the validity of the digital certificate. If there is a problem with the digital certificate, the client will immediately stop communicating. If there is no problem, it will execute the subsequent process, as shown in the following figure:

With a digital certificate, the true identity of the server can be verified, thus solving the problem of "man-in-the-middle attack" and the problem of impersonation.

2.2 Solving the problem of plaintext transmission and integrity

Although we have solved the trust problem above, because the two parties are communicating in plain text, there is still a risk of eavesdropping on the communication content. What should we do at this time? So we thought of using encryption to solve the problem of information exposure.

Encryption Classification

There are two main categories of encryption: symmetric encryption and asymmetric encryption.

In symmetric encryption, there is a shared key, which can be used to encrypt and decrypt information. Its characteristic is that the encryption and decryption speed is very fast, but because of the problem of the shared key, once the shared key is intercepted, the so-called encryption and decoding will be empty talk.

• In asymmetric encryption, there is a pair of keys: public key and private key. The public key can be used to encrypt information, but it cannot be decrypted. The private key can be used to decrypt information. Its characteristic is that the server saves the private key and does not expose it to the outside world. It only sends the public key to the client. Even if others get the public key, they cannot decrypt the encrypted information. Therefore, this method is safer, but the execution speed of asymmetric encryption is relatively slow.
• Should we use symmetric or asymmetric encryption in HTTPS? Symmetric encryption is fast but insecure; asymmetric encryption is secure but slow. Only children make the choice, and adults want both. Therefore, HTTPS uses both asymmetric and symmetric encryption. The entire interaction process is as follows:

The HTTPS execution process is as follows:

• The client uses HTTPS to access the server.
• The server returns the digital certificate and uses asymmetric encryption to generate a public key for the client (the server keeps the private key).
• The client verifies whether the digital certificate is valid. If not, the access is terminated. If valid:

Generate a shared secret key using symmetric encryption;

Encrypt data using a shared key for symmetric encryption;

Use asymmetric public key encryption to encrypt the shared secret key (generated by symmetric encryption).

Send the encrypted key and data to the server.

• The server uses the private key to decrypt the client's shared key (generated using symmetric encryption), and then uses the shared key to decrypt the specific content of the data.
• After that, the client and server interact with each other using the content encrypted with the shared key.

In this way, HTTPS ensures both security and efficiency, which is like having the best of both worlds.

The use of encryption also indirectly ensures the integrity of the data. If the data is incomplete or has redundant data, an error will be reported during decryption, which can indirectly ensure the integrity of the data.

Summarize

Using the HTTP protocol has problems such as plain text communication and man-in-the-middle attacks, but these problems are effectively solved in HTTPS. HTTPS solves the problem of man-in-the-middle attacks through digital certificates and solves the problem of plain text communication and data integrity through encryption.

References & Acknowledgements

HTTP in Pictures

"Easy Introduction to TCP/IP Network Knowledge with Illustrations"