Understand HTTP and HTTPS protocols in ten minutes?

[[276795]]

1. What is a protocol?

A network protocol is an "agreement" or "rule" reached between computers in order to achieve network communication. With this "agreement", communication can be achieved between equipment produced by different manufacturers and computers with different operating systems.

2.What is HTTP protocol?

HTTP is the abbreviation of Hypertext Transfer Protocol, which is the transmission protocol for transmitting Hypertext Markup Language (HTML) from a WEB server to a local browser.

HTTP was originally designed to provide a method for publishing and receiving HTML pages.

There are multiple versions of HTTP, and the most widely used one is HTTP/1.1.

3. HTTP Principles

HTTP is a protocol based on the TCP/IP communication protocol to transmit data. The transmitted data types include HTML files, image files, query results, etc.

HTTP protocol is generally used in B/S architecture (). As an HTTP client, the browser sends all requests to the HTTP server, i.e. the WEB server, through the URL.

Let’s take visiting Baidu as an example:

Access Baidu process

4. HTTP Features

The http protocol supports the client/server mode and is also a request/response mode protocol. Simple and fast: When a client requests a service from a server, it only needs to transmit the request method and path. Common request methods are GET, HEAD, and POST. Flexible: HTTP allows the transmission of any type of data object. The type of transmission is marked by Content-Type. Connectionless: Each connection is limited to processing only one request. After the server processes the request and receives the client's response, it disconnects, but it is not conducive to the client and the server to maintain a session connection. In order to make up for this deficiency, two technologies for recording the http status have been created, one called Cookie and the other called Session. Stateless: Stateless means that the protocol has no memory of transaction processing. If the subsequent processing requires the previous information, it must be retransmitted.

5. Difference between URI and URL

HTTP uses Uniform Resource Identifiers (URI) to transmit data and establish connections.

URI: Uniform Resource Identifier URL: Uniform Resource Location

URI is used to identify a specific resource. We can know what a resource is through URI.

URL is used to locate specific resources and indicates a specific resource location. Every file on the Internet has a unique URL.

6. HTTP message composition

Request message composition

1. Request line: includes request method, URL, protocol/version
2. Request Header
3. Request body

Request message composition

Response message composition

1. Status Line
2. Response Headers
3. Response body

Response message composition

7. Common request methods

GET: Requests the specified page information and returns the entity body. POST: Submits data to the specified resource to process the request (such as submitting a form or uploading a file). The data is contained in the request body. POST requests may result in the creation of new resources and/or the modification of existing resources. HEAD: Similar to a get request, except that the returned response does not have specific content and is used to obtain headers. PUT: Data sent from the client to the server replaces the content of the specified document. DELETE: Requests the server to delete the specified page.

Get request

GET request

post request

POST request

The difference between post and get:

Both contain a request header and a request line, while post contains an additional request body. Get is mostly used for querying, and the request parameters are placed in the URL, which will not affect the content on the server. Post is used for submission, such as putting the account and password in the body. GET is added directly to the URL, so the content can be seen directly in the URL, while POST is placed inside the message, and the user cannot see it directly. The length of data submitted by GET is limited because the URL length is limited. The specific length limit depends on the browser. POST does not have this limit.

8. Response status code

When accessing a web page, the browser sends a request to the web server. The server where the web page is located returns an information header containing an HTTP status code in response to the browser's request.

Status code classification:

• 1XX- Informational type, the server received the request and needs the requester to continue. 2XX- Successful type, the request was successfully received, understood and processed.
• 3XX - Redirection, further action is required to complete the request.
• 4XX - Client error, the request contained a syntax error or could not be completed.
• 5XX - Server Error. An error occurred while the server was processing the request.

Common status codes:

• 200 OK - client request is successful 301 - resource (web page, etc.) is permanently moved to another URL
• 302 - Temporary redirect
• 400 Bad Request - The client request has a syntax error and cannot be understood by the server.
• 401 Unauthorized - The request is unauthorized. This status code MUST be used with the WWW-Authenticate header field.
• 404 - The requested resource does not exist. You may have entered an incorrect URL.
• 500 - An unexpected error occurred within the server
• 503 Server Unavailable - The server is currently unable to process the client's request and may return to normal after a period of time.

9.Why use https?

In actual use, most websites now use the https protocol, which is also the trend of future Internet development. The following is a login request process of a blog website captured by wireshark.

Blog login packet capture

It can be seen that the access account and password are transmitted in plain text, so the request sent by the client can be easily intercepted and used by criminals. Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as various accounts, passwords and other information. It is very unsafe to use the HTTP protocol to transmit private information.

Generally, there are the following problems in HTTP:

• The request information is transmitted in plain text, which is easy to be intercepted by eavesdropping. The integrity of the data is not verified, which is easy to be tampered with. The identity of the other party is not verified, which may cause the risk of impersonation.

10. What is HTTPS?

In order to solve the above problems with HTTP, HTTPS is used.

HTTPS protocol (HyperText Transfer Protocol over Secure Socket Layer): generally understood as HTTP+SSL/TLS, which uses SSL certificates to verify the identity of the server and encrypt communications between the browser and the server.

So what is SSL?

SSL (Secure Socket Layer): Developed by Netscape in 1994, the SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communications.

TLS (Transport Layer Security): Its predecessor is SSL. Its first few versions (SSL 1.0, SSL 2.0, SSL 3.0) were developed by Netscape. Starting from 3.1 in 1999, it was standardized and renamed by IETF. So far, there are three versions: TLS 1.0, TLS 1.1, and TLS 1.2. SSL3.0 and TLS1.0 are rarely used due to security vulnerabilities. TLS 1.3 will have major changes and is still in the draft stage. Currently, the most widely used ones are TLS 1.1 and TLS 1.2.

History of SSL (Internet Encrypted Communication)

In 1994, NetSpace designed the SSL protocol (Secure Sockets Layout) version 1.0, but it was not released. In 1995, NetSpace released the SSL/2.0 version, which was soon found to have serious vulnerabilities. In 1996, the SSL/3.0 version was released and widely used. In 1999, the SSL upgraded version TLS/1.0 was released, which is currently the most widely used version. In 2006 and 2008, TLS/1.1 and TLS/1.2 were released.

11.What is the process of browsers transmitting data using HTTPS?

HTTPS data transmission process

First, the client accesses the server through the URL to establish an SSL connection. After receiving the client's request, the server will send a copy of the certificate information (the certificate contains the public key) supported by the website to the client. The client's server begins to negotiate the security level of the SSL connection, that is, the level of information encryption. The client's browser establishes a session key based on the security level agreed by both parties, and then encrypts the session key using the website's public key and sends it to the website. The server uses its own private key to decrypt the session key. The server uses the session key to encrypt communications with the client.

12. Disadvantages of HTTPS

The HTTPS protocol has multiple handshakes, which increases the page loading time by nearly 50%. The HTTPS connection cache is not as efficient as HTTP, which will increase data overhead and power consumption. Applying for an SSL certificate costs money, and the more powerful the certificate, the higher the fee. The security algorithm involved in SSL consumes CPU resources and consumes a lot of server resources.

13. Summarize the differences between HTTPS and HTTP

HTTPS is a secure version of the HTTP protocol. The data transmission of the HTTP protocol is in plain text and is not secure. HTTPS uses the SSL/TLS protocol for encryption. http and https use different connection methods and have different default ports, http is 80 and https is 443.