Analysis of the relationship and advantages and disadvantages of http and https (illustrated)
Attention ⚠️
The https protocol requires a ca to apply for a certificate. Generally, free certificates are rare and require payment.
http is a hypertext transmission protocol, and information is transmitted in plain text, while https is a secure ssl encrypted transmission protocol
http and https use a completely different connection mode and use a different port, the former is 80, the latter is 443
Disadvantages of HTTP
HTTP has these main disadvantages:
Communications are in clear text and the content may be eavesdropped
The identity of the communication party is not verified, so it is possible to encounter camouflage
The integrity of the packet cannot be verified. All the packets may have been tampered with
HTTP + encryption + authentication + integrity protection = HTTPS
HTTPS is HTTP in an SSL shell
In general, HTTP communicates directly with the TCP layer. When SSL(condom level word) is used, it evolves into HTTP first communicating with SSL, and SSL then communicating with TCP.
Encryption technology
Before explaining SSL, let's talk about encryption methods. SSL uses a kind of encryption processing method called public key encryption
Symmetric encryption
The method of encryption and decryption with one key is called symmetric encryption, also known as shared key encryption
Symmetric encryption also needs to send the key to the other party when sending encrypted information, but this can be intercepted by the attacker, so it is not secure
Asymmetric encryption
Asymmetric encryption is also called public key encryption, which solves the problem of symmetric encryption key being intercepted well.
Asymmetric encryption uses a pair of asymmetric keys, one is called the private key and the other is called the common key.
Asymmetric encryption: One party encrypts the ciphertext using the shared key of the other party. After receiving the encrypted information, the other party decrypts it using its own private key.
HTTPS uses the mixed encryption mechanism
HTTPS uses a combination of symmetric encryption and asymmetric encryption.
If keys can be exchanged securely, then it is possible to consider only asymmetric encryption.
However, the processing speed of asymmetric encryption is relatively slow compared with that of symmetric encryption.
Public key authentication
Use a digital certificate authority and its issued public key certificate for authentication. That is, let a third party independent body do the verification.
The private key is stored on the server side
Note ⚠️ : Certification costs money!!
HTTPS secure communication mechanism
The following is the complete HTTPS communication process
Why isn't HTTPS so popular
1. Encrypted communication consumes more CPU and memory resources than plain text communication
2. Certificates cost money!
3. If there are few requirements on the client, the client is required to have a certificate.
Here the client certificate, in fact, is similar to the expression of personal information, in addition to the user name/password, there is a CA-authenticated identity. Should be personal certificates generally can not be simulated by others, so it can be a deeper confirmation of their identity
At present, the professional version of a few personal banks is this practice, and the specific certificate may be to take a U disk as a backup carrier
HTTPS must be tedious
1. The original simple http protocol, one get one response. Because https needs to return the key and confirm the encryption algorithm. Handshakes alone require 6/7 round trips, and too many round trips in any application will definitely affect performance.
2. The next is the specific http protocol, each response or request, requires the client and server to encrypt/decrypt the content of the session, although the symmetric encryption/decryption efficiency is relatively high, but it still consumes too much CPU, for which there is a special SSL chip. If the CPU is relatively low, it will certainly reduce the performance, so that it can not serve more requests, and the amount of data after encryption is affected. That's why there are so many security authentication tips
The pros and cons of using https for websites
Today, we focus on discussing the advantages and disadvantages of using https on the website. If you do not understand the principle of https, you can refer to the relationship and difference between http and https written by Baicheng before (attached illustration).
Benefits of https
In August 2014, Google changed its search engine algorithm and said, "Websites that use https encryption will rank higher in search results than comparable http websites."
Baidu also declared in the webmaster platform last year that https has a certain ranking preferential treatment.
2. Security Although https is not absolutely secure, organizations that master root certificates and encryption algorithms can also conduct middleman companies, https is still the most secure solution under the current architecture, which has the following advantages:
(1) The https protocol can authenticate users and servers to ensure that data is sent to the correct client and server;
(2) https is a network protocol built by SSL+http that can be used for encrypted transmission and identity authentication. It is safer than http and can prevent data from being stolen and changed during transmission to ensure data integrity.
https is the most secure solution under the current architecture, although it is not absolutely secure, but it significantly increases the cost of man-in-the-middle attacks.
The Downside of https
Although https has great advantages, it still has some shortcomings, specifically, there are the following two points:
1, SEO According to ACM CoNEXT data show that the use of https protocol will make the page load time extended by nearly 50%, increase the power consumption of 10% to 20%, in addition, https protocol will affect the cache, increase data overhead and power consumption, and even existing security measures will be affected will also be affected.
The https protocol's encryption scope is also relatively limited, and it hardly plays a role in hacker attacks, denial of service attacks, server hijacking and other schemes.
Most critically, the credit chain system of SSL certificates is not secure, especially if some countries can control the CA root certificate, and man-in-the-middle attacks are feasible.
2, economic aspects (1), SSL certificates need to go, the more powerful the certificate cost is higher, personal websites, small websites are not necessary generally will not be used.
(2), SSL certificates usually need to bind IP, can not bind multiple domain names on the same IP, IPv4 resources can not support this consumption (SSL extension can partly solve this problem, but more troublesome, and requires browser, operating system support, Windows XP does not support this extension, considering the installed capacity of XP, This feature is almost useless).
(3) https connection caching is not as efficient as http, and high-traffic websites will not use it if they are not necessary, and the traffic cost is too high.
(4) https connection to the server side of the resource occupation is much higher, supporting a slightly more visitors to the website needs to invest more cost, if all https, based on the assumption that most of the computing resources idle VPS average cost will go up.
(5) The https protocol handshake phase is time-consuming and has a negative impact on the response speed of the website. If it is not necessary, there is no reason to sacrifice the user experience.
Of course, now that https has matured, many shortcomings can be optimized and remedied. For example, the problem of opening speed can be solved by CDN acceleration, and many IDC are also starting to launch free certificates and one-stop https construction services, and the cost of https will be greatly reduced soon!
Related article
-
Website upgrade HTTPS tutorial
Due to the wanton hijacking of operators, more and more websites began to use https protocol, opening https will give preferential treatment to improve the ranking, I reduce hijacked pages and so on2018-06-11 -
Enabling https on your website may help with SEO
In the recent period of time, Baidu has focused on promoting the https of Chinese websites, so the website enabling https may help improve the SEO effect. Specifically, what is https, you can Baidu or Google yourself to understand the relevant basic knowledge2017-09-06 -
[Official] Baidu webmaster platform for HTTPS site full process support program text overview, need to remind is the need for the whole site to support HTTPS, to click, if not supported then the site will have some side effects2017-06-28
-
Priority display, crawl HTTPS links! Baidu webmaster platform upgrade HTTPS authentication tool
Recently, Baidu webmaster platform issued an announcement that it has upgraded the HTTPS authentication tool, and it is recommended that webmasters convert HTTP websites into HTTPS protocols as much as possible. Baidu said it will give priority to showing and scraping HTTPS links2017-06-03 -
HTTPS SSL Certificate application, why is HTTPS the focus of the Internet
HTTPS SSL Certificate application, why is HTTPS the focus of the Internet? This article analyzes the advantages of HTTPS versus HTTP and tells you the challenges of HTTP changing HTTPS2017-04-19 -
Alibaba Cloud free Symantec DV SSL certificate application and configuration HTTPS method
In this article, the old left will use the free Symantec certificate provided by Alibaba Cloud to apply for and then deploy to the site, and then refer to the "Namecheap Free Comodo SSL certificate replace Symantec SSL application process "article to apply for Namecheap merchants2017-04-12 -
Cost saving Configuration website HTTPS Encrypted URL (6 free SSL certificate application sites)
In this article, the old left collates some of the free SSL certificates currently seen, if there is a need to reduce the cost of configuring the website HTTPS encryption, you can choose to use, the need of friends can refer to the next2017-04-12 -
HTTPS advantages and disadvantages and principle analysis: Should our website do HTTPS?
Some friends ask: Should our website do HTTPS? On this issue, Xiaobian to share an article, about HTTPS advantages and disadvantages and principle analysis, let's understand it together2017-02-24 -
How can https sites be optimized? Baidu attaches importance to https site reasons
Baidu webmaster platform is like this: "HTTS multiple handshakes and complex encryption mechanism effectively increase the security of the website, encryption mechanism and authentication mechanism can reduce the risk of website hijacking and counterfeiting!" This shows that this is for the security of the website2017-02-17 -
What impact does HTTPS encryption have on our website optimization promotion?
Uninformed melon eaters may ask "What is HTTPS encryption?" What is the connection between HTTPS encryption and http?" Here or quote a paragraph of Baidu encyclopedia introduction, incidentally also give yourself a lesson. So HTTPS encryption on our network2016-11-06
Latest comments