Click the blue text to follow us
1. HTTP and HTTPS
HTTP (HyperText Transfer Protocol) is the most widely used network protocol on the internet. When we open a browser to access a webpage, we are using the HTTP protocol. Specifically, accessing a webpage involves the browser requesting webpage resources from a server, and the HTTP protocol defines how the client (browser) requests resources from the server.
Figure 1: HTTP Request Process
However, during the resource request process, data is transmitted in plaintext, making it vulnerable to interception and theft by intermediaries, much like a transparent envelope where anyone can see the contents inside. For example, as shown in Figure 2, during the login process, users transmit sensitive information such as usernames and passwords to the server, which can lead to information leakage. Additionally, the HTTP protocol cannot effectively verify the identities of both parties, resulting in risks of identity spoofing for both the client and server, severely threatening the security of network communication. Think of HTTP as a transparent envelope through which we send information over the network.
Figure 2: Information Intercepted by Hackers
Due to the flaws in the HTTP protocol, network security issues have become increasingly prominent, leading to the emergence of HTTPS (HTTP + SSL/TLS), which essentially adds a protective layer to HTTP. In HTTPS, the transmitted data is encrypted, introducing asymmetric public key encryption technology, which ensures effective identity verification for both parties and guarantees that data is not tampered with during transmission. In simple terms, HTTPS is a more secure version of HTTP.
Figure 3: Information Transmission Using HTTPS
2. Principles of HTTPS
Having introduced the basic concept of HTTPS, we will now detail the implementation principles of HTTPS. The most notable change is that our URL request prefix changes from http to https, indicating that we need to use encrypted transmission via HTTPS.
Figure 4: Representation of HTTPS in Network Structure
Currently, HTTPS primarily uses two protocols: SSL (Secure Sockets Layer) and TLS (Transport Layer Security), both of which are encryption protocols used to ensure the security of network communications. TLS is the upgraded version of SSL, offering stronger protection measures and fixing many known vulnerabilities in SSL. Therefore, in modern applications, some services and applications only support TLS.
Figure 5: Certificate Trust Chain
Next, we will introduce the concept of CA digital certificates, which are crucial for internet identity authentication. When using HTTPS, CA participation is required. A CA digital certificate is an electronic document issued by a Certificate Authority (CA) used to verify the identity of entities on the internet. The CA is responsible for the approval, issuance, archiving, and revocation of digital certificates, and it holds authoritative power. CA institutions are divided into “Root CA” and “Intermediate CA”. In principle, root CA institutions should avoid directly issuing final entity certificates, and instead, final entity certificates should be issued by intermediate CA institutions. This is to minimize the impact range of certificate invalidation; if a root certificate becomes invalid or is forged, the entire certificate chain is compromised.
Figure 6: HTTPS Encryption and Decryption Process
As shown in Figure 6, we will summarize the overall workflow of HTTPS, which consists of two stages: certificate verification and data transmission:
1) The user initiates an HTTPS request in the browser, defaulting to connect using the server’s port 443.
2) HTTPS requires a set of CA digital certificates, which include a public key (Pub), while the corresponding private key (Private) is kept confidential on the server.
3) The server receives the request and returns a configured certificate containing the public key (Pub) to the client.
4) The client receives the certificate and verifies its validity, which includes checking if it is within the validity period, whether the certificate’s domain matches the requested domain, and whether the parent certificate is valid (recursively checking until reaching the system’s built-in or browser-configured root certificate). If it fails, a HTTPS warning message is displayed; if it passes, the process continues.
5) The client generates a random key for symmetric encryption and encrypts it using the public key (Pub) from the certificate, sending it to the server.
6) The server receives the ciphertext of the random key and decrypts it using the corresponding private key (Private) to obtain the actual random key intended for transmission by the client.
7) The server uses the random key sent by the client to symmetrically encrypt the HTTP data to be transmitted and returns the ciphertext to the client.
8) The client uses the random key to symmetrically decrypt the ciphertext, obtaining the plaintext HTTP data.
9) Subsequent HTTPS requests use the previously exchanged random key for symmetric encryption and decryption.
Figure 7: Status of Non-HTTPS Address Bar
(1) Symmetric Encryption
Symmetric encryption refers to the use of the same key for both encryption and decryption. Currently, commonly used algorithms include AES and ChaCha20, which are fast and efficient for processing large amounts of data. Their algorithms are relatively simple and consume fewer resources, making them suitable for high-performance scenarios. However, there is a risk of key leakage during transmission.
Figure 8: Principles of Symmetric Encryption
(2) Asymmetric Encryption
Asymmetric encryption uses a pair of keys, namely a public key and a private key. The public key can be freely distributed, while the private key must be kept confidential. Information encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. This solves the key distribution problem, as the public key does not need to be kept secret. Compared to symmetric encryption, it has a higher computational complexity, slower processing speed, and is not suitable for direct encryption of large amounts of data, consuming more resources, especially during key pair generation and encryption/decryption operations.
Figure 9: Asymmetric Encryption Algorithm
Image materials sourced from the internet; please contact us if there are any copyright issues.
References:
[1] Lee H, Kim D, Kwon Y. TLS 1.3 in practice: How TLS 1.3 contributes to the internet[C]//Proceedings of the Web Conference 2021. 2021: 70-79.
[2] Chomsiri T. HTTPS hacking protection[C]//21st International Conference on Advanced Information Networking and Applications Workshops (AINAW’07). IEEE, 2007, 1: 590-594.
[3] Xiaohan. Revealing the HTTP Protocol[J]. Computer and Network, 2017, 43(2): 64-71.
[4] Wei Xingguo. Security Analysis of HTTP and HTTPS Protocols[J]. Programmer, 2007 (7): 53-55.
[5] https://juejin.cn/post/6844904127420432391
