What is the difference between http vs https? Detailed explanation of SSL encryption process

With the rapid development of the Internet, some people do what they wantWechat marketing,Public account promotion, but complainsInternet marketingdoesn't work, actuallynew mediaThe best way for people to do Internet marketing is through search enginesdrainagethe amount.

Therefore, search engines are the most popular nowadaysWeb Promotionone of the ways.

Moreover, the search engines Google and Baidu have publicly stated that https is included in the search engine ranking mechanism.

especiallyE-commerceFor websites, it is recommended to use the https encryption protocol, which not only helps to improve rankings, but also helps users experience the website safely.

Hypertext Transfer Protocol HTTP protocol is used to transfer information between web browser and web server. HTTP protocol sends content in clear text and does not provide any form of data encryption. If an attacker intercepts the connection between web browser and web server Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.

In order to solve this defect of the HTTP protocol, another protocol needs to be used: the secure socket layer hypertext transfer protocol HTTPS. For the security of data transmission, HTTPS adds the SSL protocol to HTTP, and SSL relies on certificates to authenticate the server. , and encrypt the communication between the browser and the server.

XNUMX. Basic concepts of HTTP and HTTPS

HTTP: is the most widely used network protocol on the Internet. It is a client-side and server-side request and response standard (TCP), which is used to transmit hypertext from a WWW server to a local browser. The server is more efficient, resulting in fewer network transfers.

HTTPS: It is a secure HTTP channel. In short, it is a secure version of HTTP, that is, adding an SSL layer to HTTP. The security foundation of HTTPS is SSL, so the detailed content of encryption requires SSL.

The main functions of the HTTPS protocol can be divided into two types: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

XNUMX. What is the difference between HTTP and HTTPS?

The data transmitted by the HTTP protocol is unencrypted, that is, in plain text. Therefore, it is very insecure to use the HTTP protocol to transmit private information. In order to ensure that these private data can be encrypted and transmitted, Netscape designed the SSL (Secure Sockets Layer) protocol for HTTPS was born to encrypt the data transmitted by the HTTP protocol.

In short, the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.

The main differences between HTTPS and HTTP are as follows:

• 1. The https protocol needs to go to the ca to apply for a certificate. Generally, there are few free certificates, so a certain fee is required.
• 2. http is a hypertext transfer protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transfer protocol.
• 3. http and https use completely different connection methods and use different ports. The former is 80 and the latter is 443.
• 4. The connection of http is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.

XNUMX. Detailed explanation of HTTPS and SSL encryption process

We all know that HTTPS can encrypt information to prevent sensitive information from being obtained by third parties, so many banking websites or e-mails and other services with higher security levels will use the HTTPS protocol.

1. The client initiates an HTTPS request

This is nothing to say, that is, the user enters an https URL in the browser, and then connects to port 443 of the server.

2. Server configuration

The server using the HTTPS protocol must have a set of digital certificates, which can be made by yourself or applied to the organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access, while the certificate applied by a trusted company does not. A prompt page will pop up.

This set of certificates is actually a pair of public key and private key. If you don’t understand the public key and private key, you can imagine it as a key and a lock, but you are the only person in the world who has this key. You can lock the lock. Head to others, others can use this lock to lock important things, and then send it to you, because only you have this key, so only you can see the things locked by this lock.

3. Send the certificate

This certificate is actually the public key, but contains a lot of information, such as the certificate authority, expiration time, and so on.

4. Client parsing certificate

This part of the work is done by the client's TLS. First, it will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an exception is found, a warning box will pop up, indicating that there is a problem with the certificate.

If there is no problem with the certificate, then generate a random value, and then encrypt the random value with the certificate, as mentioned above, lock the random value with a lock, so that unless there is a key, you cannot see the locked value content.

5. Transmission of encrypted information

This part transmits the random value encrypted with the certificate. The purpose is to let the server get this random value, and then the communication between the client and the server can be encrypted and decrypted through this random value.

6. Service segment decryption information

After the server decrypts with the private key, it obtains the random value (private key) sent by the client, and then encrypts the content symmetrically through the value. In this way, unless the private key is known, the content cannot be obtained, and both the client and the server know the private key, so as long as the encryption algorithm is strong enough and the private key is complex enough, the data is safe enough.

7. Transmission of encrypted information

This part of the information is the information encrypted by the private key of the service segment and can be restored on the client side.

8. Client decryption information

The client decrypts the information sent by the service segment with the previously generated private key, and thus obtains the decrypted content. Even if the third party monitors the data during the whole process, it is helpless.

Fourth, the attitude of search engines to HTTPS

Baidu launched a full-site HTTPS encrypted search service to solve the "third party" sniffing and hijacking of user privacy. In fact, as early as May 2010, Google began to provide an HTTPS encrypted search service, crawling HTTPS web pages. On the issue, Baidu stated in an announcement in September 5 that "Baidu will not actively crawl HTTPS web pages", while Google stated in the algorithm update that "under the same conditions, sites using HTTPS encryption technology will have better search rankings. Advantage".

So, in this big environment, should webmasters adopt the "risky" HTTPS protocol? HTTPS for search enginesSEOWhat about the impact?

1. Google's attitude

Google's attitude towards the inclusion of HTTPS sites is no different from that of HTTP sites, and even takes "whether to use secure encryption" (HTTPS) as a reference factor in the search ranking algorithm. Websites using HTTPS encryption technology can get better results. There are more display opportunities, and the ranking is more advantageous than HTTP sites of similar sites.

And Google has made it clear that it "hopes that all webmasters will be able to use the HTTPS protocol instead of HTTP", which shows its determination to achieve the goal of "HTTPS everywhere".

2. Baidu's attitude

In the past, Baidu's technology was relatively backward, saying that "it will not actively crawl https pages", but it was also "worried" about "many https pages cannot be included". Until September 2014, 9, Baidu issued a discussion on "How to build https sites." An article was published on the issue of "Friendly to Baidu", giving four suggestions and specific actions to "improve the Baidu-friendliness of https sites":

1. Make http accessible versions for https pages that need to be indexed by Baidu search engine.

2. Judge the visitor through user-agent, and set BaiThe duspider is directed to the http page. When ordinary users visit the page through the Baidu search engine, they will be redirected to the corresponding https page through 301.As shown in the figure, the above picture shows the http version included in Baidu, and the bottom picture shows that users will automatically jump to the https version after clicking.

3. The http version is not only made for the homepage, other important pages also need to be made with http version and linked to each other. Don't do this: the link on the homepage http page is still linked to the https page, which makes Baiduspider unable to continue to crawl—— We have encountered such a situation that we can only include one home page for the entire site.

4. Some content that does not need to be encrypted, such as information, can be carried by the second-level domain name.for exampleAlipayThe site, the core encrypted content is placed on https, the content that can be directly grabbed by Baiduspider is placed on the second-level domain name.

According to the test of Computer Science House in the link below, it takes 114 milliseconds to establish a connection with HTTP; it takes 436 milliseconds to establish a connection with HTTPS, and 322 milliseconds for the ssl part, including the network delay and the overhead of encryption and decryption of ssl itself (the server according to the information of the client Determine whether a new master key needs to be generated; the server replies to the master key and returns a message authenticated with the master key to the client; the server requests the client for a digital signature and public key).

XNUMX. How much resources does HTTPS consume than HTTP?

HTTPS is actually an HTTP protocol built on top of SSL/TLS. Therefore, to compare how much more server resources are used by HTTPS than HTTP,Chen WeiliangI think it mainly depends on how much server resources are consumed by SSL/TLS itself.

HTTP uses the TCP three-way handshake to establish a connection, and the client and server need to exchange 3 packets;

In addition to the three packets of TCP, HTTPS also needs to add 9 packets required for the ssl handshake, so there are 12 packets in total.

After the SSL connection is established, the subsequent encryption method becomes a symmetric encryption method such as 3DES, which has a light CPU load. Compared with the asymmetric encryption method when the SSL connection is established, the load of the symmetric encryption method on the CPU can be basically ignored. , so the problem is coming. If you rebuild the ssl session frequently, the impact on server performance will be fatal. Although opening HTTPS keep-alive can alleviate the performance problem of a single connection, it is a large website with a large number of concurrent users. , an independent SSL termination proxy based on load sharing is essential. The Web service is placed after the SSL termination proxy. The SSL termination proxy can be hardware-based, such as F5; or it can be based onsoftwareYes, for example, Wikipedia uses Nginx.

After adopting HTTPS, how much more server resources will be used, January 2010gmailSwitching to full use of HTTPS, the CPU load of the front-end processing SSL machine will not increase by more than 1%, the memory consumption of each connection will be less than 20KB, and the network traffic will increase by less than 2%. Since Gmail should use N servers for distributed processing, so The CPU load data does not have much reference significance. The memory consumption and network traffic data of each connection are of reference significance. This article also lists that a single core handles about 1500 handshakes per second (for 1024-bit RSA). ), this data is very informative.

XNUMX. Advantages of HTTPS

It is precisely because HTTPS is very secure that attackers cannot find a place to start. From the perspective of webmasters, the advantages of HTTPS are as follows:

1. SEO aspects

Google adjusted its search engine algorithm in August 2014, saying that "a site encrypted with HTTPS will rank higher in search results than an equivalent HTTP site".

2. Security

Although HTTPS is not absolutely secure, organizations that master root certificates and organizations that master encryption algorithms can also carry out man-in-the-middle attacks, but HTTPS is still the most secure solution under the current architecture, with the following advantages:

(1) Use the HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct client and server;

(2) The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is safer than the http protocol, which can prevent data from being stolen and changed during the transmission process and ensure the integrity of the data.

(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.

XNUMX. Disadvantages of HTTPS

Although HTTPS has great advantages, it still has some shortcomings. Specifically, there are the following two points:

1. SEO aspects

According to ACM CoNEXT data, using the HTTPS protocol will prolong the page loading time by nearly 50% and increase the power consumption by 10% to 20%. In addition, the HTTPS protocol will also affect the cache, increase data overhead and power consumption, and even existing security Measures will also be affected and will be affected accordingly.

Moreover, the encryption scope of the HTTPS protocol is relatively limited, and it hardly plays any role in hacker attacks, denial of service attacks, and server hijacking.

Most importantly, the credit chain system of SSL certificates is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are feasible.

2. Economic aspects

(1) SSL certificates need money. The more powerful the certificate, the higher the cost. Personal websites can use free SSL certificates.

(2) SSL certificates usually need to be bound to IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption (SSL has extensions that can partially solve this problem, but it is troublesome and requires browsers, operation System support, Windows XP does not support this extension, considering the installed base of XP, this feature is almost useless).

(3) HTTPS connection caching is not as efficient as HTTP, and high-traffic websites will not use it unless necessary, and the traffic cost is too high.

(4) HTTPS connection server-side resource consumption is much higher, and supporting websites with a little more visitors requires a larger cost. If all HTTPS is used, the average cost of VPS based on the assumption that most of the computing resources are idle will go up.

(5) The handshake phase of the HTTPS protocol is time-consuming and has a negative impact on the corresponding speed of the website. If it is not necessary, there is no reason to sacrifice the user experience.

XNUMX. Does the website need to be encrypted with HTTPS?

Although Google and Baidu both "look at HTTPS differently", this does not mean that webmasters should convert the website protocol to HTTPS!

First of all, let's talk about Google. Although Google keeps emphasizing that "websites using HTTPS encryption technology can get better rankings", it cannot be ruled out that this is an "ulterior motive" move.

Foreign analysts have said in response to this issue: the reason why Google made this move (update the algorithm, whether to use HTTPS encryption technology as a reference factor for search engine rankings) may not be to improve the user's search experience and Internet. The security issue is just to recover the "loss" in the "Prism Gate" scandal. This is a typical self-interested move under the banner of "sacrifice the ego", holding high the banner of "Security Impact Ranking" and chanting "HTTPS everywhere" ” slogan, and then effortlessly let the majority of webmasters willingly join the HTTPS protocol camp.

If your website belongs toE-commerce/Small tradeFor platforms, finance, social networking and other fields, it is best to use the HTTPS protocol; if it is a blog site, a promotional site, a classified information site, or a news site, a free SSL certificate can be used.

XNUMX. How does a webmaster build an HTTPS site?

When it comes to the construction of HTTPS sites, we have to mention the SSL protocol. SSL is the first network security protocol adopted by Netscape. It is a security protocol implemented on the Transmission Communication Protocol (TCP/IP), using public key technology , SSL widely supports various types of networks, while providing three basic security services, they all use public key technology.

When it comes to the construction of HTTPS sites, we have to mention the SSL protocol. SSL is the first network security protocol adopted by Netscape. It is a security protocol implemented on the Transmission Communication Protocol (TCP/IP), using public key technology , SSL widely supports various types of networks, while providing three basic security services, they all use public key technology.

1. The role of SSL

(1) Authenticate users and servers to ensure that data is sent to the correct client and server;

(2) Encrypt data to prevent data from being stolen midway;

(3) Maintain the integrity of the data and ensure that the data is not changed during the transmission process.

An SSL certificate refers to a digital file that verifies the identities of both parties in the SSL communication. It is generally divided into a server certificate and a client certificate. The SSL certificate we usually say mainly refers to the server certificate. The SSL certificate is issued by a trusted digital certificate authority CA. (such as VeriSign, GlobalSign, WoSign, etc.), issued after verifying the identity of the server, with server authentication and data transmission encryption functions, divided into Extended Validation (EV) SSL certificate, Organization Validation (OV) SSL certificate, and domain name verification Type (DV) SSL certificate.

2. 3 main steps to apply for an SSL certificate

There are three main steps to apply for an SSL certificate:

(1), make CSR file

The so-called CSR is the Certificate Secure Request certificate request file produced by the applicant. During the production process, the system will generate two keys, one is the public key, which is the CSR file, and the other is the private key, which is stored on the server.

To make CSR files, applicants can refer to WEB SERVER documents, general APACHE, etc., use the OPENSSL command line to generate KEY+CSR2 files, Tomcat, JBoss, Resin, etc. use KEYTOOL to generate JKS and CSR files, IIS creates a pending requests and a CSR file.

(2), CA certification

Submit the CSR to the CA, and the CA generally has two authentication methods:

①. Domain name authentication: Generally, the administrator's mailbox is authenticated. This method is fast, but the certificate issued does not contain the name of the company.

②、Enterprise document certification: The business license of the enterprise needs to be provided, which generally takes 3-5 working days.

There are also certificates that need to authenticate the above two methods at the same time, which is called EV certificate. This certificate can make the address bar of browsers above IE2 turn green, so the authentication is also the strictest.

(3), the installation of the certificate

After receiving the certificate from CA, you can deploy the certificate on the server. Generally, the APACHE file directly copies KEY+CER to the file, and then modifies the HTTPD.CONF file; TOMCAT, etc., need to import the certificate CER file issued by CA into the JKS file. , copy it to the server, and then modify SERVER.XML; IIS needs to process the pending request and import the CER file.

XNUMX. Free SSL certificate recommendation

Using an SSL certificate can not only ensure the security of information, but also improve the user's trust in the website, but in view of theBuilding websiteConsidering the cost, many webmasters are discouraged. Free on the Internet is always a market that will never go out of style. There are free hosting spaces, and naturally there are free SSL certificates. Earlier, it was reported that Mozilla, Cisco, Akamai , IdenTrust, EFF, and researchers at the University of Michigan will start the Let's Encrypt CA project, which plans to provide free SSL certificates and certificate management services for websites starting this summer (note: if you need more advanced and complex certificates, you will need to pay), and at the same time , also reduces the complexity of certificate installation, the installation time is only 20-30 seconds.

It is often large and medium-sized websites that require complex certificates, and small sites such as personal blogs can try free SSL certificates first.

Below isChen WeiliangThe blog will introduce you to several free SSL certificates, such as: CloudFlare SSL, NameCheap, etc.

1. CloudFlare SSL

CloudFlare is a website in the United States that provides CDN services. It has its own CDN server nodes all over the world. Many large companies or websites at home and abroad are using CloudFlare's CDN services. Of course, the most commonly used by domestic webmasters is CloudFlare's free CDN. It is also very good. The free SSL certificate provided by CloudFlare is UniversalSSL, that is, universal SSL. Users can use the SSL certificate without applying for and configuring a certificate from a certificate authority. CloudFlare provides SSL encryption to all users (including free users), web interface The certificate is set up within 5 minutes, and the automatic deployment is completed within 24 hours, providing TLS encryption service based on Elliptic Curve Digital Signature Algorithm (ECDSA) for website traffic.

2. NameCheap

NameCheap is a leading ICANN-accredited domain name registration and website hosting company, established in 2000, the company provides free DNS resolution, URL forwarding (can hide the original URL, support 301 redirection) and other services, in addition, NameCheap also provides a Years of SSL certificate free service.

3. Let's Encrypt

Let's Encrypt is a free SSL certificate issuance project that is very popular recently. Let's Encrypt is a free and free public welfare project provided by ISRG, which automatically issues certificates, but the certificate is only valid for 90 days.It is suitable for personal use or temporary use, and no longer has to endure the prompt that the self-signed certificate is not trusted by the browser.

in fact,Chen WeiliangThe blog is also planning to use Let's Encrypt recently ^_^

Let's Encrypt free SSL certificate application tutorial, please refer to this article for details:'How to apply for Let's Encrypt"