HTTP (Hypertext Transfer Protocol) is currently the most widely used protocol on the Internet. As people’s awareness of network security increases, HTTPS is increasingly adopted. Whether we are visiting some shopping websites, or logging into some blogs, forums, etc., we are all protected by HTTPS. Even mainstream browsers such as Google Chrome and Firefox have marked all HTTP-based sites as unsafe.
Why is HTTPS more secure than HTTP? Before answering this question, we first need to understand what HTTP and HTTPS are.
Access process of HTTP and HTTPS
Since the development of the Internet, HTTP has been the standard protocol for transmitting information on the Internet. The information transferred can be documents, files, images, videos, etc. between computers within the Internet.
During the HTTP request process, there is no identity confirmation process between the client and the server. All data is transmitted in clear text and "streaking" on the Internet, so it is easy to be attacked. Hacker attacks.
As you can see from the picture above, the request sent by the client can easily be intercepted by hackers. If the hacker impersonates the server at this time, it can return any information. To the client without being noticed by the client, so we often hear the word "hijacking".
And HTTPS is actually HTTP with SSL (HTTP SSL=HTTPS). When you see HTTPS in your browser's address bar, it means that all communication with the website will be encrypted, making the entire visit more secure.
Why HTTPS is more secure than HTTP
The security of HTTPS is often reflected in three aspects:
Server authentication, through server identity Verification, the user can know that it is currently communicating with the corresponding server.
Data confidentiality, other parties cannot understand the content of the data sent because the submitted data is encrypted.
Data integrity, the transmission will carry the Message Authentication Code (MAC) for verification, so the transmitted data will not be changed by the other party.
You can give an example to compare. An HTTP request consists of multiple lines of text that follow the HTTP protocol, such as the following GET request:
GET /helloupyun.txt HTTP/1.1 User-Agent: curl/7.73.0 libcurl/7.73.0 OpenSSL/1.1.l zlib/1.2.11 Host: www.upyun.com Accept-Language: en
The request will be sent directly in clear text. Since it is in clear text, the protocol commands and syntax People with basic understanding can obtain and understand the meaning of the request as long as they monitor the process of sending the request. Therefore, when sending data such as passwords through HTTP, the security is extremely low.
In contrast, HTTPS uses SSL (or TLS) to encrypt HTTP requests and responses, so in the above example, someone monitoring the request will see a string of random numbers, which is not readable text.
GsERHg9YDMpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVAWII6+T4MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSe4iaWKCOHH==
The encryption process uses SSL (Secure Sockets Layer), a standard security technology that covers asymmetric keys and symmetric keys.
Symmetric encryption
Symmetric encryption refers to an encryption algorithm that uses the same key for encryption and decryption.
Currently common encryption algorithms include: DES, AES, IDEA, etc.
Asymmetric encryption
Asymmetric encryption uses two keys , public key and private key, we will use the public key to encrypt the website account password and other data, and then use the private key to decrypt the data. This public key will be sent to everyone who views the website, while the private key is owned only by the website server itself.
Currently common asymmetric encryption algorithms: RSA, DSA, DH, etc.
Commonly used suites, such as the ChaCha20-Poly1305 encryption suite, use these two algorithms, where Chacha20 refers to the symmetric encryption algorithm and Poly1305 refers to the identity authentication algorithm.
Referring to the RFC document, we can understand that ChaCha20 provides 256-bit encryption strength, which is sufficient as a symmetric encryption algorithm to ensure HTTPS security.
Poly1305 provides authentication as an identity authentication algorithm, which can prevent attackers from inserting false information into secure data streams during the TLS handshake process. The Poly1305 algorithm provides A security encryption strength of approximately 100 bits is sufficient to prevent this type of attack.
In general, compared to HTTP, HTTPS not only encrypts data as an encryption method, but also gives the website a safe and trustworthy ID card.
Let’s talk about some advantages and disadvantages of HTTPS
Overall, HTTPS has the following five advantages:
●Maximum Maximize the security of data and transactions on the Web;
● Encrypt user sensitive or confidential information;
● Improve rankings in search engines
● Avoid in-browser An “unsafe” prompt appears;
● Enhance users’ trust in the website.
Relatively, the shortcomings are also essential:
● The HTTPS protocol takes a relatively long time in the handshake phase, which will affect the overall page loading speed;
● It will take more CPU cycles on the browser and server to encrypt/decrypt data;
● SSL certificates generally require a fee to obtain, and the cost is often not low;
● It is not safe in an absolute sense. When the website is attacked and the server is hijacked, HTTPS basically cannot provide any security protection.
Related article tutorials: web security tutorial
The above is the detailed content of Why HTTPS is more secure than HTTP. For more information, please follow other related articles on the PHP Chinese website!