I used HTTPS, but I didn't expect it to be monitored.

Hello everyone, my name is Jay Chou.

Last week, a friend in WeChat sent me a picture:

As soon as I saw it, it was HTTPS! No use of HTTP! Look again, it is www.baidu.com, not a copycat website!

I understood something in an instant, and asked him to click on the small lock sign indicating security in the browser's address bar to check the HTTPS certificate used by the website.

As expected, the certificate is not official. The official certificate

And the fake certificate was issued by their company. It seems that their company has begun to analyze the HTTPS traffic. This guy shivered instantly...

Today, let’s talk with you: Is HTTPS really safe?

Nowadays, what everyone sees on the Internet every day is basically a website that uses HTTPS. Sometimes I want to find an HTTP website so that new students can practice packet capture and analysis, but it is not easy to find.

But a few years ago, around the time I started my graduation work (2014), that wasn't the case, and there were plenty of sites on the web that used HTTP.

As we all know, HTTP is a hypertext transfer protocol, and data content is transmitted in clear text on the network, which is very insecure. The classmates in the same dormitory can monitor what video learning websites you browse by engaging in a middleman hijacking.

Not only that, network devices at all levels including dormitory routers in the Internet link can detect your data and even insert small advertisements for you (in fact, this phenomenon still exists, especially in many hospital and school websites, there are still many They are all using HTTP, which is especially easy to paste small advertisements), and I accidentally jump to the advertisement page, which is really hard to prevent.

Soon, the wave of website HTTPS came soon. By encrypting the most simple and direct method, the data transmitted by the browser during the Internet access is encrypted and protected, and the security of Internet content has been greatly improved.

I wrote a story before describing the working principle of HTTPS in simple terms. Those who don’t understand it can learn it. I often examine candidates in interviews, which can quickly help me know the other party’s understanding of HTTPS. Learn degree.

Let's briefly summarize it through the following quick question and answer section.

As you can see, the cornerstone of HTTPS security is asymmetric encryption. The premise of asymmetric encryption is that the other party is really the other party. If this premise is not true, everything that follows is false!

When a website server communicates using HTTPS, it will provide a certificate to prove its identity, and this certificate will be issued by a trusted authority.

After the browser gets the certificate, it will verify the validity of the certificate and check whether the issuing authority of the certificate is trusted.

So how to check whether the issuing authority is trusted?

The answer is to keep checking the certificate of the issuing authority to see who issued it to him, and so on, until the final issuer is found, to see if the final issuer's certificate is installed in the list of trusted root certificates of the operating system middle.

Are you already dizzy? It doesn't matter, let's take Baidu's certificate as an example, take a look at the process, and you will know what it means.

You can view the certificate issuance chain by clicking the certificate path tab page:

Through this tree structure diagram, you can clearly see:

baidu.com this certificate domain name used by the named GlobalSign Organization Validation CA - SHA256 - G2 issued were issued.

And this issuer's certificate is issued GlobalSign Root CA - R1

After the browser gets the top-level issuing certificate, it goes to the list of trusted root certificates installed by the operating system to find it, hey, it really found it!

Therefore, the browser trusts the certificate and continues the next communication process.

If it can't find it, the browser will pop up an untrusted message, reminding the user to be careful!

! [Insert Picture description here] ( https://img-blog.csdnimg.cn/122dd453ad174692a494a945ff81c619.png?x-oss-
process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBARHhBeEZ4QQ==,size_20,color_FFFFFF,t_70,g_se,x_16)

And if someone installs a root certificate of their own in your computer and deceives the browser, the foundation of all this security will be overturned.

The reason why the little friend at the beginning of the article popped up that window is that HTTPS hijacking started before the root certificate was installed. Because after the restart, there are no more prompts, and everything is as normal as usual, except that the Internet traffic has been fully controlled by the company.

Seeing this, why don't you click on the lock in the browser's address bar to see if the issuing authority of the certificate is your company?

If yes, then congratulations~

Finally, a question for everyone to think about: Will WeChat be affected by this HTTPS hijacking? Welcome to express your opinion in the comment area!