If you still don’t understand HTTPS after reading this article, come to me!

As an aspiring programmer, it is necessary to understand the development trend of the industry and expand your computer knowledge, especially some computer basics, such as the computer network knowledge to be discussed in this article. This article will give you a detailed summary of the implementation principle of HTTPS.

[[345099]]

Image via Pexels

In recent years, with the improvement of security awareness among users and Internet companies and the decrease in HTTPS costs, HTTPS has become increasingly popular.

Many Internet giants are also pushing HTTPS, such as:

• Google's Chrome browser will display an insecure warning in the address bar when visiting HTTP websites.
• WeChat requires that all mini-programs must use the HTTPS transmission protocol.
• Apple also requires that all apps listed on the App Store must use HTTPS.

Most mainstream websites at home and abroad have also migrated to HTTPS, which shows that it is only a matter of time before HTTPS completely replaces HTTP.

Having said so much, what exactly is HTTPS? What are its advantages and disadvantages compared with HTTP? What is its underlying implementation principle? Let's answer them one by one below. Let's first look at the disadvantages of HTTP.

The biggest drawback of HTTP: insecurity

The biggest reason why HTTP was replaced by HTTPS is that it is insecure. As for why it is insecure, it is clear at a glance after looking at the picture below.

HTTP data transmission process

As can be seen from the figure, when HTTP transmits data, all data is transmitted in plain text, so there is naturally no security. Especially some sensitive data, such as user passwords and credit card information, once obtained by a third party, the consequences will be disastrous.

Someone might say that I can just encrypt sensitive data on the front-end page, such as MD5 plus salt encryption.

This is too simplistic. First of all, MD5 is not an encryption algorithm. Its full name is Message Digest Algorithm MD5, which means message digest algorithm. It is an irreversible hash algorithm, which means that data processed by MD5 on the front end cannot be restored on the server side.

Here we take password as an example. The front end processes the user password through MD5 and sends the obtained hash value to the server. Since the server cannot restore the password, it will directly use this hash value to process the user request.

Therefore, after obtaining this hash value, the third party can bypass the front-end login page and directly access the server, causing security issues.

In addition, the security of the MD5 algorithm itself has flaws, which I will not discuss here. In short, hash algorithms such as MD5 and SHA-1 cannot make HTTP more secure.

To make HTTP more secure, you can only use real encryption algorithms, because encryption algorithms can use keys to encrypt or restore data. As long as the keys are not obtained by third parties, the security of data transmission can be ensured.

This is exactly the solution of HTTPS, so let’s learn about the encryption algorithm below.

Encryption Algorithm

HTTPS's solution to the problem of data transmission security is to use encryption algorithms, specifically hybrid encryption algorithms, which is a combination of symmetric encryption and asymmetric encryption. Here it is necessary to first understand the differences and advantages and disadvantages of these two encryption algorithms.

Symmetric encryption

Symmetric encryption, as the name implies, uses the same key for both encryption and decryption. Common symmetric encryption algorithms include DES, 3DES, and AES.

Its advantages and disadvantages are as follows:

Advantages: The algorithm is open, the calculation amount is small, the encryption speed is fast, the encryption efficiency is high, and it is suitable for encrypting relatively large data.

Disadvantages: Both parties in the transaction need to use the same key, which means that the transmission of the key cannot be avoided. However, the key cannot be guaranteed not to be intercepted during the transmission process, so the security of symmetric encryption cannot be guaranteed.

Each time a pair of users uses a symmetric encryption algorithm, they need to use a unique key that is unknown to others. This will cause the number of keys owned by the sender and receiver to increase dramatically, and key management will become a burden for both parties.

Symmetric encryption algorithms are difficult to use on distributed network systems, mainly because key management is difficult and the cost of use is high.

This article does not provide a detailed introduction to the specific encryption algorithm. If the symmetric encryption algorithm is directly used in HTTP, the following results will be achieved:

Symmetric encryption data transmission process

As can be seen from the figure, the encrypted data is irregular garbled during transmission. Even if it is intercepted by a third party, the data cannot be decrypted without the key, thus ensuring the security of the data.

However, there is a fatal problem. Since both parties have to use the same key, one party must pass the key to the other party before transmitting data. In this process, the key is likely to be intercepted, and the encrypted data can be easily decrypted.

So how do we ensure the security of the key during transmission? This is where asymmetric encryption comes in.

Asymmetric encryption

Asymmetric encryption, as the name implies, requires two different keys for encryption and decryption: a public key and a private key.

The public key and private key are a pair. If the data is encrypted with the public key, it can only be decrypted with the corresponding private key; if the data is encrypted with the private key, it can only be decrypted with the corresponding public key.

The basic process of using an asymmetric encryption algorithm to exchange confidential information is as follows: Party A generates a pair of keys and discloses one of them as a public key; Party B, who obtains the public key, encrypts the confidential information with the public key and then sends it to Party A; Party A then decrypts the encrypted information with its own private key.

If you don't quite understand the public key and private key, you can imagine it as a key and a padlock, but you are the only one in the world who has the key, and you can give the padlock to others.

Others can use this lock to lock up important things and then send them to you. Since only you have the key, only you can see the things locked with this lock.

The commonly used asymmetric encryption algorithm is the RSA algorithm, which has the following advantages and disadvantages:

• Advantages: The algorithm is public, different keys are used for encryption and decryption, and the private key does not need to be transmitted over the network, which is very secure.
• Disadvantages: The amount of calculation is relatively large, and the encryption and decryption speed is much slower than symmetric encryption.

Due to the strong security of asymmetric encryption, it can be used to perfectly solve the key leakage problem of symmetric encryption. The effect diagram is as follows:

The client sends the key KEY to the server through asymmetric encryption

In the above process, after obtaining the server's public key, the client will generate a random code (denoted by KEY, which is the key used by both parties for symmetric encryption in the future), and then the client will use the public key to encrypt the KEY and send it to the server.

The server uses the private key to decrypt it, so that both parties have the same key KEY, and then both parties use the KEY to symmetrically encrypt the exchange data.

In the process of asymmetric encryption transmission of KEY, even if a third party obtains the public key and the encrypted KEY, it cannot crack the KEY without the private key (the private key exists on the server and the risk of leakage is extremely small), which ensures the security of the subsequent symmetrically encrypted data.

The above flowchart is the prototype of HTTPS. HTTPS combines the advantages of these two encryption algorithms, which not only ensures communication security, but also ensures data transmission efficiency.

HTTPS Principles Explained

Let's first look at Wikipedia's definition of HTTPS:

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL.

HTTPS (Hypertext Transfer Protocol Secure) is an extension based on HTTP, used for secure communication in computer networks, and has been widely used on the Internet.

In HTTPS, the original HTTP protocol is encrypted by TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer). Therefore, HTTPS is often referred to as HTTP over TLS or HTTP over SSL.

It can be seen that HTTPS is not an independent communication protocol, but an extension of HTTP, which ensures communication security. The relationship between the two is as follows:

Relationship between HTTP and HTTPS

That is to say, HTTPS=HTTP+SSL/TLS.

Next is the most important analysis of the HTTPS principle. As usual, let’s start with the picture:

HTTPS encryption, decryption, verification and data transmission process

It may look confusing, but don't be afraid. Let me explain it in detail. The entire communication process of HTTPS can be divided into two stages: certificate verification and data transmission. The data transmission stage can be divided into two stages: asymmetric encryption and symmetric encryption.

The specific process is explained according to the sequence number in the figure:

①The client requests the HTTPS URL and then connects to the server's port 443 (HTTPS default port, similar to HTTP port 80).

②The server using HTTPS protocol must have a set of digital CA (Certification Authority) certificates. The certificate needs to be applied for and issued by a specialized digital certificate certification body (CA) after a very strict review (of course, it costs money, the higher the security level, the more expensive it is).

When a certificate is issued, a private key and a public key are generated. The private key is kept by the server itself and cannot be disclosed. The public key is included in the certificate information and can be made public.

The certificate itself also comes with a certificate electronic signature, which is used to verify the integrity and authenticity of the certificate and prevent the certificate from being tampered with.

③The server responds to the client request and passes the certificate to the client. The certificate contains the public key and a lot of other information, such as the certificate authority information, company information and certificate validity period.

In Chrome, click the lock icon in the address bar and then click the certificate to view the certificate details.

B Station CA Certificate

④ The client parses the certificate and verifies it. If the certificate is not issued by a trusted authority, or the domain name in the certificate is inconsistent with the actual domain name, or the certificate has expired, a warning will be displayed to the visitor, who can choose whether to continue the communication.

Like this:

Browser Security Warning

If there is no problem with the certificate, the client will take out the server's public key A from the server certificate. Then the client will also generate a random code KEY and encrypt it with public key A.

⑤The client sends the encrypted random code KEY to the server as the key for subsequent symmetric encryption.

⑥After receiving the random code KEY, the server will use the private key B to decrypt it. After the above steps, the client and the server finally establish a secure connection, perfectly solving the key leakage problem of symmetric encryption, and then they can communicate happily using symmetric encryption.

⑦The server uses the key (random code KEY) to symmetrically encrypt the data and send it to the client. The client uses the same key (random code KEY) to decrypt the data.

⑧Both parties happily transmit all data using symmetric encryption.

Well, the above is a detailed explanation of the principles of HTTPS. With such a beautiful picture and such a detailed process analysis, it would be unreasonable if you still don’t understand it, haha.

Summarize

Let's summarize the differences between HTTPS and HTTP and the shortcomings of HTTPS.

Differences between HTTPS and HTTP:

• The most important difference is security. HTTP uses plain text transmission and does not encrypt data, which is less secure. The data transmission process of HTTPS (HTTP+SSL/TLS) is encrypted, which is more secure.
• Using the HTTPS protocol requires applying for a CA certificate, and there are generally fewer free certificates, so a certain fee is required. Certificate authorities include Symantec, Comodo, DigiCert, and GlobalSign.
• HTTP page response speed is faster than HTTPS, which is easy to understand. Due to the addition of a security layer, the process of establishing a connection is more complicated and more data must be exchanged, which inevitably affects the speed.
• Since HTTPS is an HTTP protocol built on SSL/TLS, it consumes more server resources than HTTP.
• HTTPS and HTTP use completely different connection methods and different ports, the former is 443 and the latter is 80.

Disadvantages of HTTPS:

• In the same network environment, HTTPS has significantly higher response time and power consumption than HTTP.
• The security of HTTPS is limited and has little effect in situations such as hacker attacks and server hijacking.
• Under the existing certificate mechanism, man-in-the-middle attacks are still possible.
• HTTPS requires more server resources and will also lead to higher costs.

Author: IamHYN

Editor: Tao Jialong

Source: https://segmentfault.com/a/1190000021494676