1. HTTP Disadvantages
http is an application layer protocol
Mainly have these shortcomings
- The communication uses plain text (not encrypted), the content may be eavesdropped
- The identity of the communicating party is not verified, so it is possible to encounter masquerading
- Unable to prove the integrity of the message, so it may have been tampered with
2. What is HTTPS
HTTP + encryption + authentication + integrity protection = HTTPS
HTTPS is HTTP with an SSL shell. SSL mainly does three things: encryption, authentication, and integrity protection.
2.1 Encryption
There are three encryption methods in ssl
- Hash algorithm is used to generate digest,
verifies integrity - Asymmetric encryption is used to encrypt identities. Asymmetric algorithms require public keys and private keys, which has poor performance
Symmetric encryption is used to encrypt communication information. Symmetric encryption only requires a shared secret key, which has good performance.
2.2 Certification
How to ensure that the real server is communicating with the client?
The server can apply for digital certificate certification authority (CA) certification
The CA will use the CA’s private key to encrypt the server’s public key and various authentication information into a digital certificate.
Then the client uses the public key of the installed CA to decrypt the digital certificate. If the information matches, the authentication can be completed.
Let's take a look at the https digital certificate of Sifu
2.3 Integrity protection
A piece of information, through a digest algorithm to get a string of hash values, is the digest (dijest).
After the client gets the information, it generates a summary of the information and gets the summary A. If the digest is the same as digest B decrypted from the digital signature, it proves that the information is complete and not lost
This digest is the digital signature
difference between digital signature and digital certificate
The digital signature is signed by the server itself for the sake of information integrity
The digital certificate is provided by the CA, which contains the server's public key and authentication information for authentication
3. Specific communication process
3.1 The client sends an encryption request
The client initiates a request to the server. The request includes the protocol version number used and the encryption method supported by the client.
3.2 The server responds with a certificate
After the server receives the request, it confirms the encryption method used by both parties and gives the server's certificate
3.3 The client confirms the identity and gets the public key. Generate random number to server
After the client confirms that the server certificate is valid, it generates a new random number, uses the public key in the digital certificate to encrypt the random number, and then sends it to the server.
3.4 The server receives a random number
The server uses its own private key to decrypt the random number sent by the client
3.5 Formal communication
The client and the server use a random number to generate a shared secret key to encrypt communication with each other.
4. Install https certificate
- First apply for a certificate. Individuals can apply for free.
- Then download the certificate
There are two certificates in the nginx folder, one should be a .key file and the other should be a .crt file - Move the file to the relevant location of nginx
- Modify the configuration and restart
ssl_certificate "/etc/nginx/tlsconfig/1_yangkaiqiang.com_bundle.crt";
ssl_certificate_key "/etc/nginx/tlsconfig/2_yangkaiqiang.com.key"; - https is successfully configured and can be accessed
5. Interview questions
- What is https
- What is a digital certificate
- Features of https
- https communication process
- How does https ensure security
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。