The interviewer asked how HTTPS was transferred from HTTP, I was a little confused
After all, this time is also the golden season for the
"Golden Nine, Silver and Ten" interviews. Of course Ah Fan also wants
to go to the interview, but because of her own limitations, she can only
interview the students who went out for the interview to ask what content, one
of them, Ah Fan feels it is necessary to share with you, that is, to ask about the
content of HTTP.
After all, this time is also the golden season for the
"Golden Nine, Silver and Ten" interviews. Of course Ah Fan also wants
to go to the interview, but because of her own limitations, she can only
interview the students who went out for the interview to ask what content, one
of them, Ah Fan feels it is necessary to share with you, that is, to ask about
the content of HTTP.
HTTP
HTTP protocol is the abbreviation of Hyper Text Transfer
Protocol (Hyper Text Transfer Protocol), which is a transfer protocol used to
transfer hypertext from a World Wide Web server to a local browser. HTTP is
based on the TCP/IP protocol communication protocol to transfer data (HTML
files, picture files, query results, etc.). It does not involve packet transmission,
and mainly specifies the communication format between the client and the
server, and port 80 is used by default.
This is actually the simplified content in Baidu
Encyclopedia. Although it is not too detailed, it is already a general
description of HTTP. Let's take a look at this HTTP from the following aspects.
We won’t explain more about HTTP message and body from here.
A fan has explained it to you completely before, including the evolution
history of HTTP. Today, A fan, let’s talk about the relationship between HTTP
and HTTPS.
HTTP disadvantages
As we all know, there are a lot of advantages of HTTP:
Simple, flexible and easy to expand
Wide application and mature environment
Stateless (no additional resources are required to record
state information)
But the shortcomings of HTTP are also very significant. Why
do you say that HTTP uses plaintext for transmission. Although it is convenient
for our debugging, the information will be exposed, and there is no privacy in
every link.
And in our perception, HTTP is insecure. The first reason is
the plaintext mentioned above, and the other is that HTTP does not verify the
identity of the communicating parties, so the identity of the other party may
be disguised, just like some public places. Those public WIFI, and HTTP cannot
verify the integrity of the message, so the message may also be tampered with.
Based on these contents, we often choose HTTP more
carefully, otherwise when you transmit content, others can easily analyze the
content you want to transmit by using a packet capture tool.
At this time, we thought of one thing. Wouldn't it be enough
to encrypt it?
Yes, there is no problem at all. HTTP does not have an
encryption mechanism, but we can find a way to deal with it. This way is:
SSL or TLS
SSL: Secure Socket Layer
TLS: Security Layer Transport Protocol
When they are used in combination, the content of HTTP
communication can be encrypted, and communication can be carried out on this
line at this time. The combined use of HTTP through SSL is called HTTPS or HTTP
overSSL.
HTTPS
In the vernacular, HTTP is HTTPS after encryption,
authentication, and integrity protection.
The easiest way to distinguish HTTPS is to see a small lock
logo when you visit in the browser.
Don’t over 90% of the websites now use HTTPS?
Let's use a packet capture tool to look at the transmission
content of HTTPS and try.
We saw the TLS version and the random number that Afan did
not have on the screenshot.
At this time we have to fully analyze the HTTPS secure
communication mechanism. Take a look at a picture and then we will use our
packet capture tool for analysis.
上面這是
HTTPS 的安全通信的機制,我們分別來看看都乾了什麼。
The first step: Client Hello
The client starts the SSL/TSL communication by sending a Client Hello message. It contains a series of contents such as the version of SSL/TSL, the encryption method used and so on.
Step 2: Server Hello
The server determines the SSL/TLS protocol version used by
comparing it with its own version according to the supported SSL/TLS protocol
version sent by the client. Disadvantages such as the masked algorithm.
Step 3: The server sends a Certificate message, which
contains the public key certificate.
The purpose of the certificate is actually to ensure the
identity of the logo, and the certificate generally adopts the X.509 standard.
Step 4: Server Key Exchange
The server sends a Server Hello Done message to request the
client, and the first phase of the SSL/TSL handshake negotiation part ends.
There are also many people who are accustomed to saying that
the fourth step is Server Hello Done. In fact, when we captured the packet, we
found that they were in a request. Let's take a look at the packet and try it
later. Server Hello Done is actually equivalent to telling you that I have
finished sending it here.
Step 5: Client Key Exchange
After completing the first handshake of SSL/TSL, the client
sends a Client Key Exchange message as a response, which is actually to
exchange secret key parameters.
Here, the client will generate a random number again, and
then use the public key from the server to encrypt it to get the ciphertext
PreMaster Key. After the server receives this value, it uses the private key to
decrypt it, so that the secret keys on both sides can be negotiated. Later data
transmission can be encrypted and decrypted with the negotiated secret key.
Step 6: Change Cipher Spec
The client sends a Change Cipher Spec message, prompting the
server to change the encoding, which means that when we send messages in the
future, I use the key we defined before for encryption.
Step 7: Client Finished
The client generates a summary of the previous handshake
message and then encrypts it with the negotiated secret key. This is the first
encrypted message sent by the client. This step is also a more critical step.
The success of this operation depends on whether the server is successful. The
message can be successfully decrypted this time as a basis for judgment.
Step 8: The server sends Change Cipher Spec
Step 9: The server sends the Server Finished message
In fact, the function is similar to Client.
Step 10: The Finished exchange between the server and the
client is completed. At this time, the SSL/TSL connection is OK, and the
message sent is completely called HTTPS.
The last is the content of data transmission.
Since HTTPS is safe, why not use it widely?
In fact, encrypted communication protects the privacy of
data to a certain extent, but the efficiency is relatively low. Every
communication must be encrypted, which consumes resources. If it contains some
money, then encrypted communication must be used, and the main certificate must
be charged. Ah.
If you want to use it, you definitely need a certificate. Just like when you are doing WeChat payment, don't you also need to buy a certificate. Generally, it costs hundreds of dollars a year. So do you know the relationship between HTTP and HTTPS?