Is it very secure to use https protocol for API interface?

I have always known that https is more secure than http, and the transmitted data is encrypted balalabala. . .
So if my api interface uses https protocol, will I no longer need to encrypt and decrypt messages in the program?
If the security score is 100 points, how many points will be given below?
1, use http directly
2, use http, but use the encryption and decryption function to encrypt and decrypt the data by yourself
3 , use https
4, use https, and use the encryption and decryption functions to encrypt and decrypt the data

Reply content:

I have always known that https is more secure than http, and the transmitted data is encrypted balalabala. . .
So if my api interface uses https protocol, will I no longer need to encrypt and decrypt messages in the program?
If the security score is 100 points, how many points will be given below?
1, use http directly
2, use http, but use the encryption and decryption function to encrypt and decrypt the data by yourself
3 , use https
4, use https, and use the encryption and decryption functions to encrypt and decrypt the data

1 = 50 points, there is no security at all, the API content will be transmitted in clear text, and it is easy to be hijacked
2 = 60 points, the encryption and decryption functions will have more issues to consider. If it is only symmetric encryption, in fact It is not much safer than option 1
3 = 90 points. In fact, this method should be called TLS. It is secure enough. For the specific security mechanism, please refer to this article.
4 = 80 points. Since TLS has been implemented, Encrypting it again will not improve the cracking complexity, but will lose performance

The low-cost method is definitely to use 3, https
If your api really has a lot of security requirements, you can also use https to implement encryption and decryption yourself
I mean don’t over-optimize, it’s really necessary time, it depends on your business scenario

Let me explain that https itself involves the process of encryption and decryption, involving asymmetric encryption and symmetric encryption. The whole process will be time-consuming
Therefore, the same interface using https will definitely be slower than http, by a few to dozens to a few seconds. One hundred milliseconds, you can test this yourself.

The problem that HTTPS solves is not only encryption, but more importantly authentication, which proves that the server is really the server you want. Encrypting it yourself is of little use.
If you assume that the network is insecure, no matter how you encrypt it, it will be useless. The secret key will be seen from the beginning anyway.
Asymmetric encryption may still be useful. Once the secret key is exchanged, it is safe, but HTTPS has been implemented and it is even better. Why bother with it?

Is there any way to avoid password sniffing (man-in-the-middle attack) on web pages?

Everyone above talked about the security level evaluation from the perspective of encryption. I will express my views from the perspective of cracker:

---

1. Direct visual analysis

2. Analysis of client decryption function

3. Forged certificate to implement proxy forwarding

4. 3 2

---

https only ensures the relative security of the transmission process, but it is far from being safe.
As long as your code is running on the client, there is a possibility of being reversed.
All you can do is make client-side encryption as complex as possible. . .