Overview of HTTPS and SSL Certificates
Category Programming Technology
Introduction to HTTPS
The Hypertext Transfer Protocol Secure (English: Hypertext Transfer Protocol Secure, abbreviated as HTTPS, commonly referred to as HTTP over TLS, HTTP over SSL, or HTTP Secure) is a network security transmission protocol. Before diving into the specifics, let's first discuss the previously common HTTP protocol. HTTP is a protocol we use when browsing web pages. The data transmitted by the HTTP protocol is unencrypted, that is, plaintext, making the transmission of private information over HTTP very insecure. HTTP uses port 80 for communication, while HTTPS uses port 443. On computer networks, HTTPS communicates through the Hypertext Transfer Protocol (HTTP) but utilizes SSL/TLS to encrypt data packets. The main purpose of developing this protocol was to provide identity authentication for network servers and protect the privacy and integrity of the exchanged data. This protocol was first proposed by Netscape in 1994 and subsequently expanded to the internet.
Working Principle of HTTPS
Before transmitting data, HTTPS requires a handshake between the client (browser) and the server (website), during which the encryption information for data transmission will be established. The TLS/SSL protocol is not only a set of encrypted transmission protocols but also a meticulously designed work of art by artists. TLS/SSL uses asymmetric encryption, symmetric encryption, and HASH algorithms. The specific description of the handshake process is as follows:
1) The browser sends a set of encryption rules it supports to the website.
2) The website selects a set of encryption algorithms and HASH algorithms from them and sends its identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, encryption public key, and the certificate issuing authority.
3) After obtaining the website certificate, the browser performs the following tasks: a) Verify the legitimacy of the certificate (whether the issuing authority is legitimate, whether the website address included in the certificate is consistent with the address being visited, etc.). If the certificate is trusted, a small lock will be displayed in the browser bar; otherwise, an untrusted certificate prompt will be given. b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser will generate a random password and encrypt it with the public key provided in the certificate. c) Use the agreed HASH algorithm to calculate the handshake message and encrypt the message with the generated random number, and finally, send all previously generated information to the website.
4) After receiving the data sent by the browser, the website performs the following operations: a) Decrypt the message with its private key to retrieve the password, decrypt the handshake message sent by the browser with the password, and verify whether the HASH is consistent with what the browser sent. b) Encrypt a handshake message with the password and send it to the browser.
5) The browser decrypts and calculates the HASH of the handshake message. If it is consistent with the HASH sent by the server, the handshake process ends, and all subsequent communication data will be encrypted using the random password generated by the browser and symmetric encryption algorithms.
Here, the browser and website exchange encrypted handshake messages and verify them to ensure that both parties have obtained a consistent password and can normally encrypt and decrypt data, making a test for the subsequent actual data transmission. In addition, the encryption and HASH algorithms generally used by HTTPS are as follows:
Asymmetric encryption algorithms: RSA, DSA/DSS
Symmetric encryption algorithms: AES, RC4, 3DES
HASH algorithms: MD5, SHA1, SHA256
The communication timing diagram corresponding to HTTPS is as follows:
Differences between HTTPS protocol and HTTP protocol:
The HTTPS protocol requires obtaining a certificate from a CA, and there are few free certificates, which generally require payment.
HTTP is the Hypertext Transfer Protocol, which transmits information in plaintext, while HTTPS is a secure SSL encrypted transmission protocol.
HTTP and HTTPS use completely different connection methods and ports, the former being 80, and the latter being 443.
The HTTP connection is very simple and stateless.
The HTTPS protocol is a network protocol built by SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is more secure than the HTTP protocol.
SSL Certificates
From the previous discussion, we can understand that a core part of HTTPS is the handshake before data transmission, where the encryption password for data is determined. During the handshake process, the website sends an SSL certificate to the browser. An SSL certificate is similar to the ID card we use daily, serving as an identity proof for HTTPS websites. The SSL certificate contains information such as the website's domain name, certificate validity period, certificate issuing authority, and the public key used for encrypted transmission passwords. Since the password encrypted by the public key can only be decrypted by the