Getting to know https

Getting to know https

Why use https?

The difference between https and http is actually the difference between an encryption and a non-encryption. Why should we encrypt? Because the content we transmit is in full plain text on the http protocol, it is very easy to be seen by others (typically ARP spoofing), so the login account, login password and other information in the web page will undoubtedly be exposed.

The https protocol will encrypt the transmitted content, even if it is seen by other people, it does not matter, because there is no key to see the content in the middle.

Encryption algorithm involved in https

  1. Symmetric encryption

Symmetric encryption means that the encryption and decryption keys used by both parties of the encryption are the same. When encrypting relatively large data, it has the advantages of fast encryption, high efficiency, and small amount of calculation. Such as AES, DES.

  1. Asymmetric encryption

Asymmetric encryption has a pair of keys composed of a private key and a public key. The content encrypted by the public and private keys can only be decrypted by the other party, the private key is kept by yourself, and the public key is distributed to everyone for use. The advantage of this encryption is security, because the keys are relative. But the obvious disadvantage is slow.

How http guarantees our transmission security

1. we obtain a codebook (public key + certificate CA) from the server.

Why do I need a certificate? Because we need to confirm whether the password book given to us is regular. The verification (digital signature) of these certificates is built into our browser to prevent tampering by the middleman.

Then we use the public key to encrypt a piece of content on the client . Then send this encrypted content to the server.

After the server receives this piece of content, it uses the private key to decrypt it .

Ha, then both parties have one . In the above, we also learned that the symmetric encryption algorithm is very efficient when encrypting large data.

The server uses to encrypt the content that needs to be transmitted, and the client uses to decrypt the content delivered by the server.

In such an environment, the content of the transmission is guaranteed. This prevents the content we transmit from being viewed and tampered with by others.

Little knowledge

  1. Users can import the root certificate by themselves to ensure the validity of the privately issued certificate.
  2. A man-in-the-middle attack is to tamper with the certificate sent back by the server to decrypt the content sent by the client.
  3. Some mobile phones warn about certificates during HTTPS communication because they do not have a preset root certificate.
  4. https itself is still based on the http protocol, but provides TLS/SSL protocol for security verification at the presentation layer.

Thank you for scanning the QR code and adding a subscription number, and pushing various articles from time to time.