HTTPS Principles Explained

As the cost of building HTTPS websites decreases, most websites have begun to use the HTTPS protocol. Everyone knows that HTTPS is more secure than HTTP, and we have also heard of concepts related to the HTTPS protocol, such as SSL, asymmetric encryption, and CA certificates. However, we may not be able to answer the following three soul-searching questions:

1. Why is using HTTPS safe?

2.How is the underlying principle of HTTPS implemented?

3. Is it safe if HTTPS is used?

This article will go deeper and explain the security of HTTPS from the principle.

How HTTPS works

You may have heard that the reason why the HTTPS protocol is secure is that the HTTPS protocol encrypts the transmitted data, and the encryption process is implemented using asymmetric encryption. But in fact, HTTPS uses symmetric encryption for content transmission, and asymmetric encryption only works in the certificate verification stage.

The overall process of HTTPS is divided into certificate verification and data transmission stages. The specific interaction process is as follows:

① Certificate verification phase

The browser initiates an HTTPS request

The server returns the HTTPS certificate

The client verifies whether the certificate is legal, and if it is not legal, an alarm is prompted

② Data transmission stage

1. Once the certificate is verified to be legitimate, a random number is generated locally

2. Encrypt the random number with the public key and transmit the encrypted random number to the server

3. The server decrypts the random number using the private key

4. The server constructs a symmetric encryption algorithm using the random number passed in by the client, and encrypts the returned result before transmitting it

Why is symmetric encryption used for data transmission?

First, the encryption and decryption efficiency of asymmetric encryption is very low. In HTTP application scenarios, there is usually a lot of interaction between ends, so the efficiency of asymmetric encryption is unacceptable.

In addition, in the HTTPS scenario, only the server saves the private key, and a pair of public and private keys can only achieve one-way encryption and decryption, so the content transmission encryption in HTTPS adopts symmetric encryption rather than asymmetric encryption.

Why do we need a CA to issue a certificate?

The HTTP protocol is considered unsafe because the transmission process can be easily intercepted and the server forged by eavesdroppers, while the HTTPS protocol mainly solves the security problem of network transmission.

First, we assume that there is no certification authority and anyone can create a certificate. The security risk this brings is the classic "man-in-the-middle attack" problem.

The specific process of "man-in-the-middle attack" is as follows:

Process principle:

1. Local requests are hijacked (such as DNS hijacking, etc.), and all requests are sent to the middleman's server

2. The middleman server returns the middleman’s own certificate

3. The client creates a random number, encrypts it with the public key of the middleman's certificate and sends it to the middleman, and then uses the random number to construct symmetric encryption to encrypt the transmission content.

4. The middleman can decrypt the content through the symmetric encryption algorithm because he has the client's random number

5. The middleman sends a request to the regular website with the client's request content

6. Because the communication process between the middleman and the server is legal, the legitimate website returns the encrypted data through the established secure channel

7. The middleman decrypts the content using the symmetric encryption algorithm established with the official website

8. The middleman encrypts and transmits the data returned by the regular content through the symmetric encryption algorithm established with the client

9. The client decrypts the returned result data using the symmetric encryption algorithm established with the middleman

Due to the lack of certificate verification, although the client initiates an HTTPS request, the client is completely unaware that its network has been intercepted and the transmission content has been completely stolen by the middleman.

How does the browser ensure the legitimacy of the CA certificate?

1. What information does the certificate contain?

Issuing agency information

Public Key

Company Information

domain name

Validity

fingerprint

......

2. What is the legal basis of the certificate?

First of all, an authoritative organization must be certified. Not every organization is qualified to issue certificates, otherwise it cannot be called an authoritative organization.

In addition, the credibility of the certificate is based on the trust system. The authoritative organization needs to endorse the certificates it issues. As long as the certificate is generated by an authoritative organization, we consider it to be legal.

Therefore, the authoritative organizations will review the applicant's information. Authoritative organizations of different levels have different requirements for the review, so the certificates are divided into free, cheap and expensive.

3. How does the browser verify the legitimacy of the certificate?

When the browser initiates an HTTPS request, the server returns the website's SSL certificate. The browser needs to verify the certificate as follows:

1. Verify whether the domain name, validity period and other information are correct. The certificate contains this information, making verification easier;

2. Determine whether the source of the certificate is legal. Each issued certificate can find the corresponding root certificate based on the verification chain. The operating system and browser will store the root certificate of the authority locally. The local root certificate can be used to complete the source verification of the certificate issued by the corresponding organization.

3. Determine whether the certificate has been tampered with. Need to verify with CA server;

4. Determine whether the certificate has been revoked. This is achieved through CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol). OCSP can be used in step 3 to reduce interaction with the CA server and improve verification efficiency.

The browser considers the certificate to be legitimate only when any of the above steps are met.

Here is a question that I have been thinking about for a long time, but the answer is actually very simple:

Since the certificate is public, if I want to launch a man-in-the-middle attack, I download a certificate from the official website as my server certificate, and the client will definitely recognize that this certificate is legitimate. How can I avoid this kind of certificate impersonation?

In fact, this is the use of public and private keys in non-encrypted symmetric authentication. Although the middleman can obtain the certificate, the private key cannot be obtained. It is impossible to deduce the corresponding private key from a public key. Even if the middleman obtains the certificate, he cannot disguise himself as a legitimate server because he cannot decrypt the encrypted data passed by the client.

4. Can only certification authorities generate certificates?

If you need the browser not to prompt security risks, you can only use a certificate issued by a certification authority. However, browsers usually only prompt security risks and do not restrict access to the website, so technically anyone can generate a certificate, and as long as they have a certificate, they can complete the HTTPS transmission of the website. For example, the early 12306 adopted the method of manually installing private certificates to achieve HTTPS access.

What to do if the local random number is stolen?

Certificate verification is implemented using asymmetric encryption, but the transmission process uses symmetric encryption. The important random numbers in the symmetric encryption algorithm are generated and stored locally. How does HTTPS ensure that the random numbers will not be stolen?

In fact, HTTPS does not include security guarantees for random numbers. HTTPS only guarantees the security of the transmission process. Random numbers are stored locally, and local security belongs to another security category. Countermeasures include installing anti-virus software, anti-trojan software, and browser upgrades to fix vulnerabilities.

Will I be captured if I use HTTPS?

HTTPS data is encrypted. Normally, the packet content captured by the packet capture tool after the proxy request is encrypted and cannot be viewed directly. Follow the WeChat public account: Java Technology Stack, and reply in the background: tools to get N of the latest development tool tutorials I have compiled, all of which are practical.

However, as mentioned above, the browser will only prompt a security risk. If the user authorizes, they can still continue to access the website and complete the request. Therefore, as long as the client is our own terminal and we authorize it, we can form a middleman network, and the packet capture tool acts as a middleman agent.

Usually, the usage of HTTPS packet capture tools is to generate a certificate. The user needs to manually install the certificate on the client. Then all requests initiated by the terminal complete the interaction with the packet capture tool through the certificate. The packet capture tool then forwards the request to the server. Finally, the result returned by the server is output to the console and then returned to the terminal, thus completing the closed loop of the entire request.

Since HTTPS cannot prevent packet capture, what is the point of HTTPS?

A: The client initiates an HTTPS request, the server returns a certificate, and the client verifies the certificate. After the verification is passed, a random number is generated locally for transforming the symmetric encryption algorithm. The random number is encrypted using the public key in the certificate and transmitted to the server. After receiving the random number, the server decrypts it using the private key to obtain the random number. Subsequent data interactions are encrypted and decrypted using the symmetric encryption algorithm.

Q: Why do I need a certificate?

A: It prevents "man-in-the-middle" attacks and provides identity verification for websites.

Q: Will I be captured if I use HTTPS?

A: The packets will be captured. HTTPS only prevents the user's communications from being monitored without the user's knowledge. If the user actively grants trust, a "man-in-the-middle" network can be built, and the proxy software can decrypt the transmitted content.

The above is the detailed explanation of the HTTPS principle. For more information about the HTTPS principle, please pay attention to other related articles on 123WORDPRESS.COM!