The master will analyze for you the difference between HTTPS and HTTP

When I was working on Yahoo today, I found that I could not intercept the communication between the client and the server using a third-party tool. I have never encountered this situation before. I took a closer look and found that the url request was based on https. gg I found out that there is a big difference between https protocol and http. In general, http is more efficient and https is more secure.

First let’s talk about what HTTPS is:

HTTPS (Secure Hypertext Transfer Protocol) Secure Hypertext Transfer Protocol It is a secure communication channel developed based on HTTP for exchange between client computers and servers information. It uses Secure Socket Layer (SSL) for information exchange, which is simply a secure version of HTTP. It was developed by Netscape and built into its browser, and is used to compress and decompress data and return the results sent back over the network. HTTPS actually uses Netscape's Secure Socket Layer (SSL) as a sublayer of the HTTP application layer. (HTTPS uses port 443 instead of port 80 like HTTP to communicate with TCP/IP.) SSL uses a 40-bit keyword as the RC4 stream encryption algorithm, which is suitable for encrypting business information. HTTPS and SSL support the use of X.509 digital authentication, so users can confirm who the sender is if needed.

The difference between HTTPS and HTTP:

https protocol requires you to apply for a certificate from CA. Generally, there are very few free certificates and you need to pay a fee. http is a hypertext transfer protocol, and information is transmitted in plain text, while https is a secure SSL encrypted transmission protocol. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.

The http connection is very simple. It is a stateless HTTPS protocol. It is a network protocol built by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is more secure than the http protocol. Problems that HTTPS solves:

1. The problem of trusting the host . Servers that use https must apply for a certificate from the CA to prove the server's usage type. Only when the certificate is used for the corresponding server, the client will trust the secondary host. Therefore, all current banking system websites and key applications are https. The customer trusts the host by trusting the certificate. In fact, this is very inefficient, but the bank pays more attention to security. This does not mean anything to us. Our server uses certificates regardless of its own issue or from the public. Local issue, the clients are all our own, so we must trust the server.

2. Data leakage and tampering during the communication process

In general, https means that the server has a certificate.

a ) The main purpose is to ensure that the server is the server it claims to be. This is the same as the first point.

b) All communications between the server and the client are encrypted. i. Specifically, the client generates a Symmetric keys are exchanged through the server's certificate. A handshake process in a general sense. ii. In addition, all information exchanges are encrypted. Even if a third party intercepts it, it has no meaning because he does not have the key. . Of course, there is no point in changing it.

In some cases where there are requirements for the client, the client must also have a certificate.

a) The client certificate here is actually similar to when representing personal information. In addition to the username/password, there is also an identity certified by a CA. Generally speaking, personal certificates cannot be imitated by others, so this can further confirm your identity.

b) Currently, the professional version of a few personal banks is In this way, the specific certificate may be a USB flash drive as a backup carrier. For example, the online banking of Bank of Communications that I use uses this method. HTTPS must be cumbersome. a) The original simple http protocol, one get and one response. Due to the need for https to return the key and confirm the encryption algorithm, a single handshake requires 6/7 round trips. i. In any application, too many The round trip will definitely affect performance. b) Next is the specific http protocol. Every response or request requires the client and server to encrypt/decrypt the session content. i. Although symmetric encryption/decryption is more efficient , but it still consumes too much CPU, so there is a special SSL chip for this. If the CPU power is relatively low, the performance will definitely be reduced and more requests will not be served.

Character: Introduction to SSL:

SSL is a security and confidentiality protocol proposed by Netscape. It constructs a secure channel between browsers (such as Internet Explorer, Netscape Navigator) and Web servers (such as Netscape's Netscape Enterprise Server, ColdFusion Server, etc.) for data transmission. SSL It runs above the TCP/IP layer and below the application layer to provide encrypted data channels for applications. It uses encryption algorithms such as RC4, MD5 and RSA, and uses a 40-bit key, which is suitable for the encryption of business information. At the same time, Netscape developed the HTTPS protocol accordingly and built it into its browser. HTTPS is actually SSL over HTTP. It uses the default port 443 instead of using port 80 like HTTP to communicate with TCP/IP. The HTTPS protocol uses SSL to encrypt the original data on the sender and then decrypt it on the receiver. Encryption and decryption require the sender and receiver to exchange mutually known keys. Therefore, the transmitted data is not easily hacked by network hackers. Interception and decryption. However, the encryption and decryption process requires a lot of system overhead and seriously reduces the performance of the machine. Relevant test data shows that the efficiency of data transmission using the HTTPS protocol is only one-tenth that of using the HTTP protocol. If, for the sake of security and confidentiality, all web applications of a website enable SSL technology for encryption and use the HTTPS protocol for transmission, then the performance and efficiency of the website will be greatly reduced, and there is no need for this, because generally speaking, not all Data requires such a high level of security and confidentiality, so we only need to use the HTTPS protocol for interactive processing involving confidential data, so that we can have the best of both worlds. In short, if you don't need to use https, try not to use it.