Analysis of the relationship and advantages and disadvantages of http and https (illustrated)

Attention ⚠️

The https protocol requires a ca to apply for a certificate. Generally, free certificates are rare and require payment.

http is a hypertext transmission protocol, and information is transmitted in plain text, while https is a secure ssl encrypted transmission protocol

http and https use a completely different connection mode and use a different port, the former is 80, the latter is 443

Disadvantages of HTTP

HTTP has these main disadvantages:

Communications are in clear text and the content may be eavesdropped

The identity of the communication party is not verified, so it is possible to encounter camouflage

The integrity of the packet cannot be verified. All the packets may have been tampered with

HTTP + encryption + authentication + integrity protection = HTTPS

HTTPS is HTTP in an SSL shell

In general, HTTP communicates directly with the TCP layer. When SSL(condom level word) is used, it evolves into HTTP first communicating with SSL, and SSL then communicating with TCP.

Encryption technology

Before explaining SSL, let's talk about encryption methods. SSL uses a kind of encryption processing method called public key encryption

Symmetric encryption

The method of encryption and decryption with one key is called symmetric encryption, also known as shared key encryption

Symmetric encryption also needs to send the key to the other party when sending encrypted information, but this can be intercepted by the attacker, so it is not secure

Asymmetric encryption

Asymmetric encryption is also called public key encryption, which solves the problem of symmetric encryption key being intercepted well.

Asymmetric encryption uses a pair of asymmetric keys, one is called the private key and the other is called the common key.

Asymmetric encryption: One party encrypts the ciphertext using the shared key of the other party. After receiving the encrypted information, the other party decrypts it using its own private key.

HTTPS uses the mixed encryption mechanism

HTTPS uses a combination of symmetric encryption and asymmetric encryption.

If keys can be exchanged securely, then it is possible to consider only asymmetric encryption.

However, the processing speed of asymmetric encryption is relatively slow compared with that of symmetric encryption.

Public key authentication

Use a digital certificate authority and its issued public key certificate for authentication. That is, let a third party independent body do the verification.

The private key is stored on the server side

Note ⚠️ : Certification costs money!!

HTTPS secure communication mechanism

The following is the complete HTTPS communication process

Why isn't HTTPS so popular

1. Encrypted communication consumes more CPU and memory resources than plain text communication

2. Certificates cost money!

3. If there are few requirements on the client, the client is required to have a certificate.

Here the client certificate, in fact, is similar to the expression of personal information, in addition to the user name/password, there is a CA-authenticated identity. Should be personal certificates generally can not be simulated by others, so it can be a deeper confirmation of their identity

At present, the professional version of a few personal banks is this practice, and the specific certificate may be to take a U disk as a backup carrier

HTTPS must be tedious

1. The original simple http protocol, one get one response. Because https needs to return the key and confirm the encryption algorithm. Handshakes alone require 6/7 round trips, and too many round trips in any application will definitely affect performance.

2. The next is the specific http protocol, each response or request, requires the client and server to encrypt/decrypt the content of the session, although the symmetric encryption/decryption efficiency is relatively high, but it still consumes too much CPU, for which there is a special SSL chip. If the CPU is relatively low, it will certainly reduce the performance, so that it can not serve more requests, and the amount of data after encryption is affected. That's why there are so many security authentication tips

The pros and cons of using https for websites

Today, we focus on discussing the advantages and disadvantages of using https on the website. If you do not understand the principle of https, you can refer to the relationship and difference between http and https written by Baicheng before (attached illustration).

Benefits of https

In August 2014, Google changed its search engine algorithm and said, "Websites that use https encryption will rank higher in search results than comparable http websites."

Baidu also declared in the webmaster platform last year that https has a certain ranking preferential treatment.

2. Security Although https is not absolutely secure, organizations that master root certificates and encryption algorithms can also conduct middleman companies, https is still the most secure solution under the current architecture, which has the following advantages:

(1) The https protocol can authenticate users and servers to ensure that data is sent to the correct client and server;

(2) https is a network protocol built by SSL+http that can be used for encrypted transmission and identity authentication. It is safer than http and can prevent data from being stolen and changed during transmission to ensure data integrity.

https is the most secure solution under the current architecture, although it is not absolutely secure, but it significantly increases the cost of man-in-the-middle attacks.

The Downside of https

Although https has great advantages, it still has some shortcomings, specifically, there are the following two points:

1, SEO According to ACM CoNEXT data show that the use of https protocol will make the page load time extended by nearly 50%, increase the power consumption of 10% to 20%, in addition, https protocol will affect the cache, increase data overhead and power consumption, and even existing security measures will be affected will also be affected.

The https protocol's encryption scope is also relatively limited, and it hardly plays a role in hacker attacks, denial of service attacks, server hijacking and other schemes.

Most critically, the credit chain system of SSL certificates is not secure, especially if some countries can control the CA root certificate, and man-in-the-middle attacks are feasible.

2, economic aspects (1), SSL certificates need to go, the more powerful the certificate cost is higher, personal websites, small websites are not necessary generally will not be used.

(2), SSL certificates usually need to bind IP, can not bind multiple domain names on the same IP, IPv4 resources can not support this consumption (SSL extension can partly solve this problem, but more troublesome, and requires browser, operating system support, Windows XP does not support this extension, considering the installed capacity of XP, This feature is almost useless).

(3) https connection caching is not as efficient as http, and high-traffic websites will not use it if they are not necessary, and the traffic cost is too high.

(4) https connection to the server side of the resource occupation is much higher, supporting a slightly more visitors to the website needs to invest more cost, if all https, based on the assumption that most of the computing resources idle VPS average cost will go up.

(5) The https protocol handshake phase is time-consuming and has a negative impact on the response speed of the website. If it is not necessary, there is no reason to sacrifice the user experience.

Of course, now that https has matured, many shortcomings can be optimized and remedied. For example, the problem of opening speed can be solved by CDN acceleration, and many IDC are also starting to launch free certificates and one-stop https construction services, and the cost of https will be greatly reduced soon!

Latest comments