current position:Home>Do you really know HTTP and HTTPS? Wan Zichang Wen takes you to understand HTTP!

Do you really know HTTP and HTTPS? Wan Zichang Wen takes you to understand HTTP!

2021-08-23 17:58:09 CS pull cycle

 Insert picture description here


HTTP

 Insert picture description here

HTTP Protocol Brief

  • HTTP agreement ( Hypertext transfer protocol HyperText Transfer Protocol), It is based on TCP Application layer transport protocol , In short, it is a rule for data transmission between client and server .

Be careful : The roles of client and server are not fixed , One end acts as a client , It may also act as a server in a request . This depends on the originator of the request .HTTP The protocol belongs to the application layer , Built on the transport layer protocol TCP above . The client establishes a connection with the server TCP Connect , After sending HTTP Request and receive HTTP The response is through access Socket Interface to call TCP Protocol implementation .

  • HTTP It's a kind of statelessness (stateless) agreement , HTTP The protocol itself does not persist the sent request and the corresponding communication state . The purpose of this is to keep HTTP The simplicity of the agreement , So that a large number of transactions can be processed quickly , Increase of efficiency .

agreement

  • The protocol specifies the data transmission format that both sides of the communication must follow , In this way, both sides of the communication can communicate accurately according to the agreed format .

No state

  • Stateless means that there is no relationship between two connections , Every time it's a new connection , The server will not record the request information before and after .

client / Server model

 Insert picture description here

Seven layer network model

 Insert picture description here


HTTP working principle

  • HTTP Protocol definition Web How the client from Web Server request Web page , And how the server puts Web Page to client .HTTP The protocol takes the request / Response model . The client sends a request message to the server , The request message contains the method of the request 、URL、 Protocol version 、 Request headers and request data . The server responds with a status line , The response includes the version of the protocol 、 Success or error code 、 server information 、 Response headers and response data .

Here are HTTP request / Response steps :

  1. The client connects to Web The server : One HTTP client , Usually a browser , And Web Server's HTTP port ( The default is 80) Build a TCP socket connection . for example ,http://www.baidu.com.

  2. send out HTTP request : adopt TCP Socket , Client to Web The server sends a text request message , A request message is sent by the request line 、 Request header 、 Blank lines and request data 4 Part of it is made up of .

  3. The server accepts the request and returns HTTP Respond to :Web The server parses the request , Locate request resources . The server writes the resource copy to TCP Socket , Read by client . A response is made by the status line 、 Response head 、 Blank lines and response data 4 Part of it is made up of .

  4. Release the connection TCP Connect : if connection The model is close, Then the server shuts down TCP Connect , The client passively closes the connection , Release TCP Connect ; if connection The model is keepalive, Then the connection will remain for a period of time , Can continue to receive requests during this time ;

  5. Client browser parsing HTML Content : The client browser first parses the status line , Check the status code that indicates whether the request was successful . Then parse each response header , The response header tells you that there are several bytes of HTML Documents and character sets of documents . The client browser reads the response data HTML, according to HTML It's formatted with the syntax of , And display... In the browser window .

for example : Type... In the browser address bar URL, Press enter to go through the following process :

  • Browser direction DNS The server requests to resolve the URL The domain name in IP Address ;
  • It is concluded that IP After the address , According to the IP Address and default port 80, And the server TCP Connect ;
  • Browser sends out read file (URL The file corresponding to the following part of the domain name in ) Of HTTP request , The request message serves as TCP The data of the third message of the three handshake is sent to the server ;
  • The server responds to browser requests , And put the corresponding html Text to browser ;
  • Release TCP Connect ;
  • The browser will html Text and display content ;

 Insert picture description here
http The protocol is based on TCP/IP The application layer protocol on top of the protocol .

be based on request - Respond to The pattern of

  • HTTP Provisions of the agreement , The request is issued from the client , Finally, the server side responds to the request and return . let me put it another way , It must have started with the client , The server is not No response will be sent until the request is received .

 Insert picture description here
Stateless storage

  • HTTP It's an unsaved state , No state (stateless) agreement .HTTP agreement It does not save the communication state between request and response . That is to say HTTP This Level , The protocol does not persist the sent request or response .

 Insert picture description here

  • Use HTTP agreement , Whenever a new request is sent , There will be corresponding new response products raw . The protocol itself does not retain all the previous request or response message information . This is to process a lot of transactions faster , Make sure the protocol is scalable , And deliberately put HTTP The protocol is designed to So simple . But , With Web Continuous development , Business processing becomes tricky due to statelessness The situation has increased . such as , Users log on to a shopping website , Even if he jumps to the station After other pages , You also need to be able to stay logged in . For this example , In order to be able to Enough to know who sent the request , Need to save the user's status .HTTP/1.1 Although it's a stateless agreement , But in order to achieve the desired hold state function , So I introduced Cookie technology . With Cookie Reuse HTTP Protocol communication , You can take care of I'm in a good state . of Cookie The details of will be explained later .

There is no connection

  • Connectionless means that you are limited to one request per connection . The server completes the client's request , And received the customer's response , disconnect . This way you can save transmission time , And it can improve concurrent performance , Can't establish a long-term connection with every user , A request corresponds to a request , The server and the client are interrupted . But there are two ways to be unconnected , In the early http Protocol is a request after a response , Just disconnect , But now http agreement 1.1 The version is not disconnected directly , But wait a few seconds , What are these seconds waiting for , Waiting for the user to have subsequent operations , If the user has a new request within these seconds , So it's still through the previous connection channel to send and receive messages , If the user doesn't send a new request after a few seconds , Then it will disconnect , This can improve efficiency , Reduce the number of connections established in a short time , Because it's also time consuming to establish a connection , The default seems to be 3 In seconds now , But this time can be adjusted by our back-end code , According to the behavior of users of their own website, their own website analyzes and calculates an optimal waiting time .

HTTP Five characteristics of

  1. Support customers / Server mode .

  2. Simple and fast : When a client requests a service from the server , Just send the request method and path . The common request methods are GET、HEAD、POST. Each method specifies a different type of client server contact . because HTTP Simple protocol , bring HTTP The program size of the server is small , So communication is fast .

  3. flexible :HTTP Allow transfer of any type of data object . The type being transmitted is by Content-Type To mark .

  4. There is no connection : Connectionless means that you are limited to one request per connection . The server completes the client's request , And received the customer's response , disconnect . This way you can save transmission time . The early reason for this was that there were few resources requested , Fast pursuit . Later adopted Connection: Keep-Alive Realize long connection

  5. No state :HTTP A protocol is a stateless protocol . Stateless is a protocol that has no memory for transactions . The lack of state means that the previous information is required for subsequent processing , It must be retransmitted , This can lead to an increase in the amount of data transferred per connection . On the other hand , The server responds quickly when it does not need the previous information .


URI and URL The difference between

URI, yes uniform resource identifier, Uniform resource identifiers , Used to uniquely identify a resource .

  • Web Every resource available on is like HTML file 、 Images 、 Video clip 、 The procedures are all coming together URI To locate

URI Generally, it consists of three parts :

  1. The naming mechanism for accessing resources
  2. Host name of the resource
  3. The name of the resource itself , Represented by a path , Focus on resources .

URL yes uniform resource locator, Uniform resource locator , It's a concrete URI, namely URL Can be used to identify a resource , It also shows how to locate This resource .

URL yes Internet The string used to describe information resources , Mainly used in all kinds of WWW On client and server programs , Especially famous Mosaic.

  • use URL A unified format can be used to describe various information resources , Including documents 、 The address and directory of the server .

URL Generally, it consists of three parts :

  1. agreement ( Or service mode )
  2. Host where the resource is stored IP Address ( Sometimes a port number is also included )
  3. The specific address of the host resource . Such as directories and file names

URN,uniform resource name, Unified resource naming , Resources are identified by their names , such as mailto:[email protected]

  • URI In an abstract way , High level concept defines uniform resource identity , and URL and URN It's a specific way to identify resources .URL and URN Is a kind of URI. Broadly speaking , Every URL All are URI, But not necessarily every URI All are URL. This is because URI It also includes a subclass , That is, unified resource name (URN), It names the resource but does not specify how to locate the resource . above mailto、news and isbn URI All are URN An example of .

  • stay Java Of URI in , One URI Examples can represent absolute , It can also be relative , As long as it conforms to URI Grammatical rules . and URL Class is not just semantic , It also contains information to locate the resource , So it can't be relative .

  • stay Java Class library ,URI Class does not contain any methods to access resources , Its only function is to parse .

  • By contrast, ,URL Class to open a flow to a resource .


URL

  • HTTP Use uniform resource identifiers (Uniform Resource Identifiers, URI) To transfer data and establish connections .URL It's a special type URI, Contains enough information to find a resource .

URL constitute

 Insert picture description here

URL, The full name is UniformResourceLocator, Chinese is called uniform resource locator , The address used to identify a resource on the Internet . With this URL For example , Introduce the common URL The components of :

From the above URL It can be seen that , A complete URL It includes the following parts :

  1. The partial : The URL Part of the agreement is “http:”, This means that the Web uses HTTP agreement . stay Internet A variety of protocols can be used in , Such as HTTP,FTP Wait a minute. In this case, we use HTTP agreement . stay "HTTP" hinder “//” Separator .
    2. Domain name part : The URL The domain name section is “www.aspxfans.com”. One URL in , You can also use IP Address as domain name

  2. Port part : Following the domain name is the port , Use between domain name and port “:” As a separator . Port is not a URL Necessary part , If the port part is omitted , The default port will be used ( The link here uses the default port )

  3. Virtual directory section : From the first after the domain name “/” Let's go to the last one “/” until , Is the virtual directory section . The virtual directory is not one URL Necessary part . In this case, there is no virtual directory .

  4. File name part : From the last one after the domain name “/” Start to “?” until , Is the file name part , without “?”, From the last one after the domain name “/” Start to “#” until , It's the file part , without “?” and “#”, So from the last one after the domain name “/” Start to finish , It's all part of the file name . The file name in this example is “weixin_45692705”. The file name part is not one URL Necessary part , If omitted , The default file name is used .

  5. Anchor part : from “#” Start to finish , It's all anchor parts . In this case, there is no anchor part . The anchor part is not one URL Necessary part .

  6. Parameters of the part : from “?” Start to “#” The part in between is the parameter part , Also known as the search part 、 Inquiry section . The parameter part in this example is “spm=1011.2124.3001.5343”. Parameters can be allowed to have more than one parameter , Between parameters “&” As a separator .


The request message Request

  • The client sends one HTTP The request message requested to the server includes the following format : Request line , Request header , Request body

 Insert picture description here
Http Request message structure

  • The request line begins with a method symbol , Separate... By spaces , Followed by the request URI And the version of the agreement .

 Insert picture description here

  • The first part : Request line , Used to describe the request type , The resources to be accessed and the HTTP edition .GET Indicates that the request type is GET,[/department/87423/users] For the resources to be accessed , The last part of the line states that HTTP1.1 edition .

  • The second part : Request header , Then the request line ( The first line ) The next part , Used to describe additional information to be used by the server . Starting from the second line for the request header ,HOST The destination of the request will be indicated .User-Agent, Both server-side and client-side scripts can access it , It is an important foundation of browser type detection logic . This information is defined by your browser , And send it automatically in every request and so on

  • The third part : Blank line , A blank line behind the request header is required . Even if the fourth part of the request data is empty , There must also be a free line .

  • The fourth part : Request data is also called subject , You can add any other data . The request data for this example is name=flyhero.

The response message Response

  • In general , After the server receives and processes the request from the client, it will return a HTTP Response message for .

The server responds to the client format : Status line , Response head , Response body

 Insert picture description here
Http Response message structure
 Insert picture description here

  • The first part : Status line , from HTTP Agreement version No , Status code , Status message Three parts . The first action is state line ,(HTTP/1.1) indicate HTTP Version is 1.1 edition , Status code for 200, The status message is (ok)

  • The second part : The message header , It is used to describe some additional information to be used by the client The second line and the third line are news headlines ,Date: The date and time when the response was generated ;Content-Type: It specifies MIME Type of HTML(text/html), The encoding type is UTF-8

  • The third part : Blank line , The blank line behind the message header is necessary

  • The fourth part : Response Content , Text information returned by the server to the client . {“name”:“flyhero”,“id”:“push-code”}


Status code

  • HTTP The status code consists of three decimal digits , The first decimal number defines the type of status code , The last two numbers have no role in classification .HTTP Status codes are divided into 5 Types :
classification Classification description
1** Information , The server receives the request , Requester is required to continue
2** success , Operation received and processed successfully
3** Redirect , Further action is required to complete the request
4** Client error , The request contains a syntax error or could not be completed
5** Server error , The server encountered an error while processing the request

More detailed status codes can be viewed HTTP Status code :https://www.runoob.com/http/http-status-codes.html

But generally we only need to know a few common ones , such as :

  • 200: Client request successful
  • 400: Client request has syntax error , Not understood by the server
  • 401: Request not authorized , The status code must be equal to WWW-Authenticate Header fields are used together
  • 403: The server receives the request , But refused to provide service
  • 404: The requested resource does not exist ,eg: I typed the wrong one URL
  • 500: An unexpected error occurred on the server
  • 502: The server is currently unable to process the client's request , It may return to normal after some time

Request method

  • By the end of HTTP1.1 There are several ways
Method describe
GET GET The request displays the resources specified by the request . Generally speaking GET Method should only be used for data reading , It should not be used in non idempotent operations with side effects . What it expects should be and should be secure and idempotent . Safety here means , The request does not affect the state of the resource .
POST Submit data to the specified resource for processing request ( For example, submit a form or upload a file ). Data is contained in the request body .POST Requests may lead to the creation of new resources and / Or modification of existing resources .
PUT PUT Request to upload the latest content to the specified resource location ,PUT Method is idempotent . Through this method, the client can transfer the latest data of the specified resource to the server to replace the content of the specified resource .
PATCH PATCH Method appears later , It's in 2010 Year of RFC 5789 Defined in the standard .PATCH Ask for something to do with PUT The request is similar to , Also used for updating resources . There are two differences between them :1.PATCH Generally used for partial update of resources , and PUT Generally used for the overall update of resources .2. When the resource does not exist ,PATCH A new resource will be created , and PUT Only existing resources will be updated .
DELETE DELETE Request is used to request the server to delete the requested URI( Uniform resource identifiers ,Uniform Resource Identifier) Identified resources .DELETE The specified resource will be deleted after request ,DELETE Method is idempotent .
OPTIONS Allow clients to view the performance of the server .
CONNECT HTTP/1.1 The protocol is reserved for the proxy server that can change the connection to pipeline mode .
HEAD Be similar to get request , But there is no specific content in the response returned , For getting headers .
TRACE Echo requests received by server , Mainly used for testing or diagnosis .

matters needing attention :

  1. Method names are case sensitive . When the resource targeted by a request does not support the corresponding request method , Server should return status code 405(Method Not Allowed), When the server does not know or support the corresponding request method , Status code should be returned 501(Not Implemented).

  2. HTTP The server should at least implement GET and HEAD Method , Other methods are optional . Of course , All method supported implementations should match the semantic definitions of the following methods . Besides , In addition to the above methods , specific HTTP The server can also extend custom methods . for example PATCH( from RFC 5789 The designated method ) Used to apply local changes to resources .

GET and POST Differences in requests

  • GET request
GET /books/?sex=man&name=Professional HTTP/1.1
Host: www.wrox.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050225 Firefox/1.0.1
Connection: Keep-Alive

Notice that the last line is empty

  • POST request
POST / HTTP/1.1
Host: www.wrox.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050225 Firefox/1.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Connection: Keep-Alive

name=Professional%20Ajax&publisher=Wiley

1. GET Submit , The requested data is attached URL after ( Is to put the data in the HTTP Protocol header ), With ? Division URL And transmit data , Multiple parameters with & Connect ; example Such as :login.action?name=hyddd&password=idontknow&verify=%E4%BD%A0 %E5%A5%BD. If the data is in English letters / Numbers , The same to send , If it's a space , Convert to +, If it's in Chinese / Other characters , You just use the string BASE64 encryption , It is concluded that such as : %E4%BD%A0%E5%A5%BD, among %XX Medium XX Is the symbol of 16 In base notation ASCII.

POST Submit : Place the submitted data in yes HTTP In the package . In the example above, the red font indicates the actual transmission data

  • therefore ,GET The submitted data is displayed in the address bar , and POST Submit , The address bar will not change

2. The size of the transmitted data

First statement :HTTP The protocol does not limit the size of the data transferred ,HTTP There is nothing wrong with the protocol specification URL Length restriction . In the actual development of the main constraints exist :

  • GET: Specific browser and server pairs URL Length limit , for example IE Yes URL The length limit is 2083 byte (2K+35). For other browsers , Such as Netscape、FireFox etc. , There is no length limit in theory , Its limitations depend on the operating system Unified support . So for GET When submitting , The transmission of data will receive URL Of length Limit .

  • POST: Because it's not through URL Pass value , In theory, the data are not affected by limit . But actually each WEB The server will say yes post Limit the size of the submitted data ,Apache、IIS6 Each has its own configuration .

3. Security

  • POST It's safer than GET High security . such as : adopt GET Submit data , User name and password will appear in clear text in URL On , because (1) Login page may be cached by browser ;(2) Others view browser history , Then someone else can get your account number and password , besides , Use GET Submitting data may also result in Cross-site request forgery attack

4. Http get,post,soap The agreements are all in http Running on

  1. get: The request parameter is used as a key/value Right sequence ( Query string ) Attach to URL The length of the query string on is affected by web The browser and web Server limitations ( Such as IE Most support 2048 Characters ), Not suitable for transferring large data sets at the same time , It's not safe

  2. post: The request parameter is in http A different part of the title ( be known as entity body) Transmission of , This part is used to transfer form information , So we must put Content-type Set to :application/x-www-form- urlencoded.post Designed to support web User fields on the form , Its parameters are also used as key/value For transmission . however : It doesn't support complex data types , because post There is no definition of semantics and rules for transferring data structures .

  3. soap: yes http post A dedicated version of , Follow a special xml The message format Content-type Set to : text/xml Any data can xml turn .

  • Http The protocol defines many ways to interact with the server , The most basic ones are 4 Kind of , Namely GET,POST,PUT,DELETE. One URL Address is used to describe resources on a network , and HTTP Medium GET, POST, PUT, DELETE It corresponds to the investigation of this resource , Change , increase , Delete 4 Operations . The most common is GET and POST 了 .GET Generally used for obtaining / Query resource information , and POST Generally used to update resource information .

Let's see. GET and POST The difference between

  1. GET The submitted data will be placed in URL after , With ? Division URL And transmit data , Between parameters & Connected to a , Such as EditPosts.aspx?name=test1&id=123456. POST The method is to put the submitted data in the HTTP Bag Body in .

  2. GET Limited data size submitted ( Because the browser is right URL Limited length of ), and POST Method submits unlimited data .

  3. GET Method needs to be used Request.QueryString To get the value of a variable , and POST Way through Request.Form To get the value of a variable .

  4. GET How to submit data , Security issues , Like a login page , adopt GET When submitting data by , The user name and password will appear in URL On , If the page can be cached or someone else can access the machine , You can get the user's account and password from the history .


Common common request and response headers

name effect
Content-Type Request body / The type of response body , Such as :text/html、application/json
Accept State the type of reception , It can have multiple values , use ,( Half width comma ) Separate
Content-Length Request body / Length of response body , Unit byte
Content-Encoding Request body / The encoding format of the response body , Such as gzip,deflate
Accept-Encoding Tell the other party what we accept Content-Encoding
ETag Identification of the current resource , and Last-Modified、If-None-Match、If-Modified-Since coordination , For cache control
Cache-Control The value is generally no-cache or max-age=XX,XX Is an integer , Indicates the cache validity of the resource ( second )
  • Be careful :Content-Type, Content type , Generally, it refers to the existence of Content-Type, Used to define the type of network files and the encoding of web pages , Decide what form the browser will take 、 What encoding reads this file .

Common media formats are as follows :

Content-Type(Mime-Type) describe
text/html HTML Format
text/plain Plain text format
text/xml XML Format
image/gif gif Image format
image/jpeg jpg Image format
image/png png Image format

With application The beginning of the media format type :

Content-Type(Mime-Type) describe
application/xml XML data format
application/json JSON data format
application/pdf pdf Format
application/msword Word Document format
application/octet-stream Binary stream data ( Such as common file downloads )
application/x-www-form-urlencoded form Form data is encoded as key/value Format send to server ( Default format of data submitted by form )
multipart/form-data When you need to upload files in the form , You need to use this format

Request header

name effect
Authorization Used to set authentication information
User-Agent User ID , Such as :OS And browser type and version
If-Modified-Since The value is the last time the server returned Last-Modified value , Used to confirm whether a resource has been changed , Not changed (304) Just read from the cache
If-None-Match The value is the last time the server returned ETag value , It's usually with If-Modified-Since Come together
Cookie Existing Cookie
Referer Indicates which address the request refers to , For example, from the page A Jump to page B when , Value is page A The address of
Host Requested host and port number

Common response headers

name effect
Date Date of the server
Last-Modified When the resource was last modified
Transfer-Encoding The value is generally chunked, Appear in the Content-Length In case of uncertainty , Indicates that the server does not know the data size of the response version , Usually there will be Content-Encoding Response head
Set-Cookie Set up Cookie
Location Redirect to another URL, If you enter a browser, type baidu.com enter , Will automatically jump to https://www.baidu.com , It is through this response header that
Server Background server

HTTP Deficiency

  • The communication uses clear text ( No encryption ), Content may be bugged
  • Do not verify the identity of the communicating party , So there's a chance of camouflage
  • Can't prove the integrity of the message , So it may have been tampered with

Non persistent and persistent connections

  • In practical applications , The client often makes a series of requests , Then the server responds to each request . For these requests | Respond to , If you go through a separate TCP Connect to send , be called Non persistent connection . conversely , If you go through the same... Every time TCP Connect to send , be called Persistent connection .

 Insert picture description here

  • Non persistent connections occur on every request | Disconnect after response , Build a new one next time TCP Connect , This causes a lot of communication overhead . For example, the round trip time mentioned earlier (RTT) It's building TCP The cost of connecting .

  • Non persistent connections put a heavy burden on the server , Each server may face hundreds or even more requests at the same time . Persistent connection is to solve these problems , Its characteristic is to keep TCP Connection status , Do not disconnect until an explicit interrupt request is encountered . Persistent connections reduce communication overhead , Save traffic .


HTTPS

 Insert picture description here

HTTPS Introduce

  • HTTP There is no encryption mechanism in the protocol , But it can pass Guo He SSL(Secure Socket Layer, Secure socket layer ) or TLS(Transport Layer Security, Security layer transport protocol ) Combined use of , encryption HTTP The content of the communication . It belongs to communication encryption , That is, encrypt... In the whole communication line .
HTTP +  encryption  +  authentication  +  Integrity protection  = HTTPS(HTTP Secure )

 Insert picture description here

  • HTTPS use Shared key encryption ( symmetry ) and Public key encryption ( Asymmetric ) A combination of the two blend Encryption mechanism . If the key can be exchanged safely , Then it is possible to consider using only public key encryption to communicate . But public key encryption is better than shared key encryption , Its processing speed is slow .

So we should make full use of their respective advantages , Combine multiple methods for communication . Public key encryption is used in the key exchange phase , After that, the establishment of communication exchange message stage Then use the shared key encryption method .

 Insert picture description here
HTTPS A simple description of the handshake process is as follows :

  1. The browser sends a set of encryption rules that it supports to the website . The server obtains the browser public key .
  2. A group of encryption algorithms and HASH Algorithm , And send the identity information back to the browser in the form of certificate . The certificate contains the website address , Encrypt public key , And the certification authority . The browser obtains the server public key .
  3. After obtaining the website certificate, the browser should do the following work :
    1. The validity of the certificate ( Is the certification authority legal , Whether the website address contained in the certificate is consistent with the address being visited, etc ), If the certificate is trusted , A small lock will be displayed in the browser bar , Otherwise, you will be prompted that the certificate is not trusted .
    1. If the certificate is trusted , Or the user accepts an untrusted Certificate , The browser will generate a random number of passwords ( Next, the key of the communication ), And use the public key provided in the certificate to encrypt ( Shared key encryption ).
    1. Use the agreed HASH Calculate handshake messages , And use the generated random number to encrypt the message , Finally, all the information generated before will be sent to the website . Browser validation -> Random cipher Server's public key encryption -> Key of communication Key of communication -> The server
  1. After receiving the data from the browser, the website should do the following operations :
    1. Use your own private key to decrypt the information and take out the password , Use the password to decrypt the handshake message sent by the browser , And verify HASH Is it consistent with what the browser sends .
    1. Encrypt a handshake message with a password , Send it to the browser . The server solves the random password with its own private key -> Decrypt the handshake message with a password ( Shared key communication )-> verification HASH Whether it is consistent with the browser ( Verify browser )

HTTPS Deficiency

  • The encryption and decryption process is complex
  • As a result, the access speed is slow, and encryption needs to be paid to the certification authority
  • Requests for the entire page use HTTPS

HTTPS How it works

  • We all know HTTPS Be able to encrypt information , To prevent sensitive information from being acquired by third parties , So many bank websites or e-mail and other high-level security services will adopt HTTPS agreement .

 Insert picture description here

Client in use HTTPS Ways and Web There are several steps for server communication , As shown in the figure .

  1. Customer use https Of URL visit Web The server , Demand and Web Server setup SSL Connect .
  2. Web After the server receives the client request , Will send the certificate information of the website ( The certificate contains the public key ) Send a copy to the client .
  3. Client browser and Web The server starts to negotiate SSL Security level of connection , That is, the level of information encryption .
  4. The browser of the client is based on the security level agreed by both parties , Set up session key , Then use the public key of the website to encrypt the session key , And send it to the website .
  5. Web The server decrypts the session key with its private key .
  6. Web The server uses the session key to encrypt the communication with the client .

 Insert picture description here


HTTP And HTTPS The difference between

  • HTTP The data transmitted by the protocol is unencrypted , That's the plaintext , Therefore use HTTP Protocol transmission of private information is very insecure , To ensure that this private data can be transmitted encrypted , So netscape designed it SSL(Secure Sockets Layer) Protocol is used to HTTP The data transmitted by the protocol is encrypted , And so was born HTTPS. Simply speaking ,HTTPS Agreement is made SSL+HTTP The protocol is built for encrypted transmission 、 Network protocol for identity authentication , than http Security agreement .

HTTPS and HTTP The main differences are as follows :

  1. https The agreement needs to reach ca Apply for a certificate , Generally, there are fewer free certificates , So there is a certain cost .
  2. http It's the hypertext transfer protocol , The message is transmitted in clear text ,https It is safe ssl Encrypted transport protocol .
  3. http and https It USES a completely different connection , The ports are different , The former is 80, The latter is 443.
  4. http The connection is simple , It's stateless ;HTTPS Agreement is made SSL+HTTP The protocol is built for encrypted transmission 、 Network protocol for identity authentication , Than http Security agreement .

summary

  • comparison HTTP agreement ,HTTPS The agreement adds a lot of handshakes 、 Encryption and decryption and other processes , Although the process is complicated , But it can ensure the security of data transmission .

 Insert picture description here
Sorting is not easy to , After reading, please click three times ! Give a conditional reward o( ̄▽ ̄)ブ !

copyright notice
author[CS pull cycle],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2021/08/20210823175800840U.html

Random recommended