The author of this article: Qieguo, focuses on the field of front-end development. For more articles, please pay attention to the Zhihu column "Front-end Little Things"
Now open the major well-known websites, have you found the address? A small green lock has been added to the column?
Yes, this is https, this is the era of https.
However, do you understand https?
Simply put, https is http wrapped in SSL/TLS, which is secure http. What is safety? A secure network communication environment needs to solve three problems:
Confidentiality of communication content
True identity of both communicating parties
Complete communication content
And https was born to solve these three major problems (to be precise, it should be ssl). Let’s take a look at these three separately. solution to the problem.
Confidentiality of communication content
Confidentiality of communication content needs to be achieved through encryption. Our Internet environment is very transparent, and communications need to go through many transits before reaching the recipient. This situation is a bit like handing a note to Xiaohong in the first row during class. On the note, you would definitely not directly write "see you at the playground at midnight tonight", but cleverly write "see you at the same place." Only you and Xiaohong know about this old place, so even if Xiaoming and Xiaoli see the note, they don't know whether the old place is the library or the English corner. This is encryption, and the old place is the so-called key.
Of course, this example is not very accurate. To put it simply, encryption and decryption is a function , and the key is the parameter of this function. For example, we define a simple encryption function, f(x)=x+b, x is the input plaintext, and b is the key; the decryption function is the inverse function of the encryption function, that is, g(x )=x-b. When you don't know b, you can't guess the real content even if you see the ciphertext, so encryption is achieved. This kind of encryption and decryption uses the same key, which is called symmetric encryption.
But there is a problem here. How is parameter b here negotiated?
You and Xiaohong can spend time and money to make an appointment, but in a real network environment, there is no possibility for you and Xiaohong to communicate directly. All communication must rely on Xiaoming and Xiaoli to pass the paper. If so, what can you do to avoid them? Here you need to use an asymmetric encryption algorithm. This algorithm has a pair of public keys and private keys. The public key is a key that everyone can obtain, and the private key is kept privately by the service server. key. In the asymmetric encryption algorithm, the content encrypted by the public key can only be decrypted by the private key, and the content encrypted by the private key can only be decrypted by the public key. So when you use Xiaohong's public key to encrypt your note, Xiaoming, Xiaoli and others who help you deliver the note will not be able to read the content when they see the note. Only Xiaohong who has the private key can read your information. .
The symmetric encryption algorithm uses the same secret key for encryption and decryption; the asymmetric encryption algorithm requires two keys for encryption and decryption, and these two secret keys are public keys. (public key, referred to as public key) and private key (private key, referred to as private key). You may be curious about the principles of asymmetric encryption algorithms, but I will not go into details about the algorithm here. Interested students can search by themselves.
Then the question is, what should I do if Xiaohong also wants to encrypt the response to you?
If Xiaohong uses her private key to encrypt, everyone in the class knows the public key, and the public key can decrypt the private key, which also means that everyone can decrypt Xiaohong’s Respond to messages. If you are smart, you must have thought of the solution: Use the asymmetric encryption algorithm to encrypt a symmetric key to Xiaohong. Xiaohong uses her private key to read the symmetric key, and then you use this symmetric key to do it. Symmetric encryption, and then you can happily date.
Of course, https does the same thing.
The true identity of the communicating parties
After encryption, the communication process seems to be perfect? Wait a minute, how does Xiaohong’s public key become known to the world?
You must know that all information interaction in the network environment is carried out by passing notes, and Xiaohong's public key is no exception. What if it is switched when it passes through Xiaoming's hands? How to ensure that the Xiaohong public key in your hand is the real Xiaohong public key? Seeing that the notes about the crazy men and women in the class were being exchanged in various ways, Sister Feng, the entertainment committee member, decided to come forward. Sister Feng came up with a way to carry a certificate with her in all encrypted communications to prove her identity. This certificate was specially made by Sister Feng for all the singles in the class. The public key is placed in the certificate and returned to the sender of the note. In addition to the public key, the certificate also contains various information such as student number, name, and even zodiac sign, height and measurements. . There is a large identification seal stamped on the certificate. This is Sister Feng's unique seal, which means that the authenticity of the information on the certificate is guaranteed by Sister Feng. When you see this seal, you can think that the other party is a real single.
Through this information, you can know whether the other party is Xiaohong or Ruhua. This is the certificate mechanism.
Obviously you will suspect that Sister Feng’s official seal on the certificate may have been forged, and your suspicion is justified! Therefore, the official seal on the certificate is also asymmetrically encrypted. The encryption method is just the opposite of what is mentioned above: encrypted with Sister Feng’s private key, and decrypted with Sister Feng’s public key, so that the authenticity of the certificate can be verified. This official seal is the digital signature of the certificate. Specifically, it is the process of first extracting the summary of the certificate using a hash algorithm, and then encrypting the summary. In addition, you can also go directly to Sister Feng with the certificate, and Sister Feng will help you verify the validity of the certificate. (Certificates have an expiration date, so even real certificates may expire, so you need to pay attention)
This mechanism seems to be quite complete, but we have to build a security mechanism with a skeptical attitude, something that Sister Feng guarantees It's trustworthy.
But, is Sister Feng really Sister Feng? ? ?
Therefore, Sister Feng herself must also be guaranteed by a certificate. Sister Feng’s certificate is issued by the class teacher, and the class teacher’s certificate is issued by the principal... This chain goes all the way to the end Several authoritative institutions are the so-called root CAs in the https system. Roots are unquestionable authorities, they bring salt to themselves and prove themselves to be who they are. In the https certificate system, the root certificate comes with the operating system/browser. We can trust the certificates certified by these organizations, and then derive them layer by layer to the level of Fengjie.
In addition, because the certificate is actually very easy to obtain, it costs 10 yuan per copy at the subway entrance, and it costs 10 yuan for both Harvard and Stanford! Therefore, some companies will make their own certificates without going to the root CA organization at all, such as the famous 12306. You can also make your own certificate and put it online for users to download and import into their browsers, but because you don’t have Sister Feng’s influence, no one will believe you. Of course, some people don’t even believe Sister Feng...
The communication content is complete
The password has also been added, and Sister Feng’s official seal has also been stamped. Is this mechanism perfect?
NoNoNo, think about it, Xiao Ming, who has a crush on you, will definitely feel unhappy when he sees you sending a note to Xiao Hong. Although he can’t understand it, he can still change the cipher text. Originally, you were going to ask Xiaohong to meet on the playground at midnight, but Xiaoming deleted the first half of the cipher text, and after decryption it happened to be "Meet on the playground." Then Xiaohong ran to the playground immediately after class, but you ran back to the dormitory to take a good shower. A bath. . . Then, Xiaohong ran away with Xiaoming~~
I believe everyone has a deep understanding of this scenario of tampering with communication content. When we visit some sites, advertisements from operators appear for no reason. This is all It was added by the operator! ! Therefore, the integrity of the content also needs to be guaranteed. This is relatively simple: first use a hash algorithm to extract the content summary, and then encrypt the summary to generate a digital signature. By verifying the digital signature, you can determine the integrity of the communication content.
The above is a simplified version of the technology used in https. An http communication process is as follows:
General steps:
The client sends a Client Hello message to start SSL communication. The message contains the SSL version, available algorithm list, key length, etc.
When the server supports SSL communication, it will respond with a Server Hello message. The message also includes the SSL version and encryption algorithm configuration, which is the negotiated encryption and decryption algorithm.
Then the server will send the Certificate message, which means sending the certificate to the client.
The client sends a Client Key Exchange message, uses the certificate public key in 3 to encrypt the Pre-master secret random password string, and subsequently uses this password for symmetric encryption for communication.
After the server successfully decrypts using the private key, it returns a response indicating that the SSL communication environment has been set up.
Then there is regular http c/s communication.
As mentioned above, digest and signature algorithms will be used in steps 3 and 6 to ensure that the passed certificate and communication content are not tampered with. It can be seen from this process that the core of https lies in encryption, especially the asymmetric encryption algorithm that is used many times to transmit key information.
After understanding encryption, recognizing the transparency of the network, and being skeptical of everything, it becomes easier to understand the https system.
Conclusion
Recently I have been systematically reviewing http-related things. This article first introduces the basic principles of https. I have little knowledge and knowledge. If there is anything inappropriate, please correct me! Later, we will introduce the actual application, static server configuration, etc.~
Appendix
How to avoid man-in-the-middle hijacking of https?
If someone hijacks your DNS server and resolves wwe.icbc.com to his illegal website, or the proxy server directs you to his illegal website, this is a man-in-the-middle attack. If there is no https, then the attack occurs. So how does https avoid such attacks?
The answer is through certificate authentication.
When applying for a certificate, the CA will perform control certification on the domain name to be applied for, so it is impossible for you to use Lao Wang’s website next door to apply for a certificate. Even if you hack his site, Lao Wang can find out as long as he applies for a certificate.
If you forge a certificate that is not issued by an authoritative CA, then the browser will alert you when checking that the certificate is illegal. Of course, users can still continue to operate, such as grabbing train tickets or something. .
If you download the certificate of the real site, the domain name on the certificate remains unchanged, and you just replace the public key, then the browser will be able to find the correctness when comparing the digital signature of the certificate. If you can't get on, call the police without saying a word.
If the middleman directly uses the real certificate of www.icbc.com, then although he can receive the client's message, he cannot decrypt it, so he cannot respond to the client's request, and the attack is invalid!
Certificate’s Digital Signature
I didn’t know much about hash algorithms and digital signatures before. After understanding them, I found that the principle is actually quite simple. The hash algorithm can convert a large amount of data into a fixed-length summary, and the summary corresponds to the input. The summary will also change when the input changes. Therefore, a hash algorithm is applied to the data to obtain a summary. By comparing the summary, you can determine whether the data has been tampered with. The certificate uses the private key to encrypt the digest, and then the client can use the public key to decrypt it to obtain the digest. By comparing the digest calculated by the hash algorithm, it can determine whether the certificate has been tampered with. On the other hand, because the public and private keys are in pairs, although the digest of the tampered certificate can be obtained, the signature cannot be encrypted, so the combination of digest and encryption can ensure the authenticity of the certificate. The private key here is the private key of the issuing authority of the certificate, that is, the CA on the CA chain encrypts the user server certificate, and the superior CA encrypts the certificate of the subordinate CA, thus forming a trust ring.
The author of this article: Qieguo, focuses on the field of front-end development. For more articles, please pay attention to the Zhihu column "Front-end Little Things"
The above is the detailed content of In the https era, do you still know nothing about him?. For more information, please follow other related articles on the PHP Chinese website!
Nginx与SSL:配置HTTPS保护Web服务器Jun 09, 2023 pm 09:24 PMNginx是一个高性能的Web服务器软件,同时也是一款强大的反向代理服务器和负载均衡器。随着互联网的迅速发展,越来越多的网站开始采用SSL协议保护敏感用户数据,而Nginx也提供了强大的SSL支持,使得Web服务器的安全性能更进一步。本文将介绍如何配置Nginx以支持SSL协议,并保护Web服务器的安全性能。什么是SSL协议?SSL(SecureSocke
Nginx防火墙如何保障HTTPS安全通信Jun 10, 2023 am 10:16 AM在当今互联网时代,安全通信已经成为了不可或缺的一部分。尤其是在HTTPS通信中,如何保障其安全性尤为重要。而Nginx作为流行的Web服务器和反向代理服务器,其防火墙也可以在保障HTTPS安全通信中发挥重要作用。本文将就Nginx防火墙从以下几个方面进行讨论。TLS/SSL加密HTTPS通信的安全保障主要是基于TLS/SSL加密技术,其能够防止数据在传输过程
怎么使用Nginx实现HTTPS双向验证Jun 03, 2023 pm 08:38 PM单向验证与双向验证的区别:单向验证:指客户端验证服务器端证书,服务器并不需要验证客户端证书。双向验证:指客户端验证服务器端证书,而服务器也需要通过ca的公钥证书来验证客户端证书。详细的握手过程:单向验证浏览器发送一个连接请求给安全服务器。1、服务器将自己的证书,以及同证书相关的信息发送给客户浏览器。2、客户浏览器检查服务器送过来的证书是否是由自己信赖的ca中心所签发的。如果是,就继续执行协议;如果不是,客户浏览器就给客户一个警告消息:警告客户这个证书不是可以信赖的询问客户是否需要继续。3、接着客
Nginx下如何升级httpsMay 14, 2023 pm 04:49 PM下载证书在证书控制台下载nginx版本证书。下载到本地的压缩文件包解压后包含:.pem文件:证书文件.key文件:证书的私钥文件(申请证书时如果没有选择自动创建csr,则没有该文件)配置nginx1、在nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中,如果申请证书时是自己创建的csr文件,请将对应的私钥文件放到cert目录下。2、打开nginx安装目录下conf目录中的nginx.conf文件#usernobody;worker_processes1;#error
Java API 开发中使用 Https 进行数据传输Jun 18, 2023 pm 10:43 PM随着科技的发展,网络通信已经成为了现代社会信息传输的重要工具之一。但同时,网络上的信息传输面临着被恶意攻击和窃取的风险,因此安全性显得尤为重要。基于此,HTTPS协议就应运而生。它是在HTTP协议上加入SSL/TLS加密的方式来保证网络传输安全性的一种协议。Java作为一门广泛应用于网络开发的语言,自然也提供了丰富的API来支持HTTPS协议。本文将
nginx如何让浏览器强制跳转HTTPS访问May 15, 2023 pm 02:34 PM效果可以看如下:但是如果我们现在使用http来访问的话,访问不了。如下图所示:因此我现在首先要做的是使用nginx配置下,当用户在浏览器下输入http请求的时候使用nginx重定向到https下即可。因此我们现在需要做一个简单的nginx重定向功能。因此在我们的nginx中需要加如下重定向配置:server{listenxxx.abc.com;server_namexxx.abc.com;rewrite^/(.*)$https://$host$1permanent;}因此nginx主要的配置代码
nginx如何配置SSL证书实现https服务May 15, 2023 pm 03:25 PM假如我现在node基本架构如下:|----项目||---static#存放html文件|||---index.html#index.html||---node_modules#依赖包||---app.js#node入口文件||---package.json||---.babelrc#转换es6文件index.html文件代码如下:nginx配置https欢迎使用https来访问页面app.js代码如下:constkoa=require('koa');constfs
如何在golang中使用正则表达式验证URL地址是否为HTTPS协议Jun 24, 2023 pm 12:05 PMGolang是一种高效的编程语言,经常被用于创建网络应用程序。在网络应用程序中,经常需要对URL地址进行验证,以确保它们符合我们的目标。在这篇文章中,我们将会介绍如何在Golang中使用正则表达式来验证URL地址是否为HTTPS协议。首先,我们需要了解HTTPS协议的URL格式。HTTPS协议的URL从HTTP协议URL中继承了一部分,但是它有一些独特的特征
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
WebStorm Mac version
Useful JavaScript development tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
