Compared with the insecure HTTP, how does HTTPS ensure network communication security?

HTTP is an excellent communication protocol, but everything has two sides. The protocol also has shortcomings, which are roughly as follows:

• Using plain text transmission may be stolen and is not safe
• Do not verify the identity of the communicating party
• Unable to prove the integrity of the message, and unable to prove whether the message has been modified

1. HTTP does not have encryption function

The HTTP protocol itself does not have encryption function, so it is impossible to encrypt the content of requests and responses. HTTP messages are in plain text, and data packets can be easily stolen when transmitted between networks, such as using packet capture tools (Wireshark). After capturing the data packets, they are analyzed. Since the messages are transmitted in plain text, if the content is about important privacy such as personal information, it may be obtained by others and used, causing losses.

2. Encrypt the content

Encrypting content is a good way to protect information. HTTP does not have an encryption mechanism, so a third party is needed to help implement encryption. There are many ways to encrypt content, such as:

• SHA secure hash algorithm
• MD5 Information-Digest Algorithm
• BASE64 (BASE64Encoder, BASE64Decoder classes)
• RSA asymmetric encryption algorithm
• DES, etc.

It is mainly divided into two categories, symmetric encryption and asymmetric encryption (we will not discuss encryption in depth here, and friends who are interested can refer to relevant information).

[[276165]]

3. The shortcomings of only encrypting the content

• Encrypting content does not completely guarantee the security of information, because even if the content is encrypted, the data packets can still be stolen, and the encrypted content is still likely to be decrypted.
• In HTTP protocol communication, requests and responses will not confirm the communication parties, so identity spoofing may occur, such as whether the sending server is the real target host, whether the response is returned to the client that actually made the request, etc.
• Although the security of encrypted messages is improved, it still cannot prove whether the message content has been modified.

[[276166]]

Therefore, only encrypting the content is not perfect. A more comprehensive security solution is needed to ensure not only the security of the content but also the security of communications and other aspects - HTTPS.

3. What are SSL and TSL?

Before discussing HTTPS, we need to understand the SSL and TLS protocols.

[[276167]]

• SSL: Secure Sockets Layer, a protocol layer located between the reliable connection-oriented network layer protocol and the application layer protocol.
• TLS: Transport Security Layer protocol, used to provide confidentiality and data integrity between two applications. The protocol consists of two layers: TLS record protocol and TLS handshake protocol.

SSL technology was initially developed by Netscape, which developed versions before SSL3.0 and then transferred the leadership to IETF. IETF developed the TSL protocol based on SSL. The current mainstream versions are SSL3.0 and TLS1.0.

4. Basic concepts of HTTPS

HTTPS is not a new protocol, it is to replace the HTTP protocol communication interface part with SSL and TSL protocols. As shown in the following figure:

Analysis: HTTP and TCP communicate directly at first, but now HTTP communicates with SSL first, and then SSL communicates with TCP. It can be understood that HTTP becomes HTTPS by adding an extra layer of SSL protocol.

Below, HTTPS is expressed through a formula: HTTP + encryption + authentication + integrity protection = HTTPS

5. How does HTTPS communicate?

Overview: The HTTPS communication process combines symmetric encryption and asymmetric encryption. When the HTTPS server establishes SSL communication, it will first send its public key to the client. After the client obtains the public key, it negotiates with the server through asymmetric encryption for the symmetric encryption key of the data transmission channel. Once the two parties have negotiated a session key, subsequent data communications will always use the symmetric encryption algorithm based on the session key.

Specific process:

• The client sends a message to start SSL communication.
• When the server can establish an SSL connection, it will send a response message to the client.
• Next, the server sends a Certificate message (including the public key certificate) to the client.
• Finally, the server sends a notification message to the client.
• The client first generates a random password for the Pre-master secret and responds to the server with a message containing the Pre-master secret and encrypted with the public key.
• The client continues to send messages to prompt the server that all subsequent communications will be encrypted using the Pre-master secret key.
• The client sends a Finsh message (which contains all the overall checksums of the connection so far)
• The server also repeats steps 6 and 7 to send the same message. When the Finsh message exchange is completed, the SSL connection is established.
• The next step is to make an HTTP request, and the communication will be protected by SSL.

Is using HTTPS perfect?

[[276169]]

• HTTPS is slower than HTTP communication
• Increased client and server load
• Purchasing a certificate requires expenses

HTTPS is slower than HTTP because it requires SSL communication in addition to TCP connection and HTTP request response. Secondly, the client and server need to perform encryption and decryption processing. When the number of visits is large, the load will increase compared to HTTP. In addition, HTTPS communication requires the purchase of a certificate, which may not be cost-effective for some services or small websites.

6. In what scenarios is HTTPS more suitable?

In summary, HTTPS is suitable for encrypted communication in services that require high security, such as transaction payment, including some services that may contain personal sensitive information. For non-sensitive information, HTTP communication is used.

[[276170]]

VII. Conclusion

HTTP is an excellent protocol, but its security is relatively poor due to reasons such as its lack of support for encryption. There are many ways to improve security, such as using encryption algorithms to encrypt content. The HTTPS protocol provides a more complete solution. HTTPS is not a new protocol, but a combination of HTTP and SSL/TSL to achieve communication security. However, HTTPS also has its shortcomings, so it must be used reasonably in combination with specific scenarios to give full play to the powerful role of HTTPS.