[How HTTPS works Part 1 — Building Blocks] HTTPS 的工作方式第 1 部分-基本構造塊
Introduction
Have you ever wondered what happens when you type any URL in the browser? Why few websites are on HTTPS while others on HTTP? When you purchase anything online using your credit card, how does a website ensure that your sensitive information is not leaked? Same applies to the case when you enter login Id and password on any social media website.
In this article, I’ll be elaborating basic working of HTTP, its disadvantages and the basic building blocks of HTTPS. In the next article, I’ll be explaining the internals of https, SSL handshake & clear confusion between SSL, TLS & HTTPs.
Working of HTTP
When you type any URL in the browser, the browser acts like a client & the website behaves like a server. The client uses HTTP protocol and fetches information from the server. The server returns an HTML page which the browser then renders and displays it to the user. Following is an overview of the process:-
To get more clarity, you can use the curl command to observe what request the client sends and how the server responds. Curl is a command-line utility and works similar to a browser (except rendering the HTML)
Let’s run the command — curl -X GET ‘https://airindia.com' -v
You will see the following output:-
As you can see, the IP Address of the website was first resolved and then an HTTP request was sent by the client. Following is the HTTP request sent:-
> GET / HTTP/1.1
> Host: airindia.com
> User-Agent: curl/7.58.0
> Accept: */*
Disadvantages of HTTP
- Message Integrity: When you are sending a message over HTTP, anyone on the network can see what message is being sent. Further, anyone can intercept the message, modify it and send it to the server. For eg:- If you are chatting with your friend & sending a message “Hey, you are smart”, someone can modify the message and send “Hey, you are an idiot”.
- Confidentiality: If you are shopping online (HTTP website) and paying using credit card details, a hacker on the network can observe all the sensitive details sent to the website. The hacker can use your sensitive information and steal your money.
- Authenticity: A browser must validate the identity of any website & trust it. For eg:- On foreign trips, Airport officials ask you for your passport to verify that it’s you and not someone else. Here, passport acts like an identity. To trust a website it must present an identity to the client. In HTTP communication, this is not possible. On entering URL of an HTTP website in the browser, you will see the following warning in the address bar:-
HTTPs & its building blocks
HTTPs is secure HTTP. HTTPs guarantees that communication that takes place over HTTP is encrypted. It overcomes the disadvantages of the HTTP mentioned above. To understand HTTPs, we will first need to understand how encryption works.
Encryption algorithms are of two types:
Symmetric key encryption: In this scheme, only one key is used to encrypt and decrypt information. The sender and receiver both must have access to the key to process the information.
Asymmetric Key encryption: In this algorithm, a pair of keys is generated. Both the keys are mathematically linked. One of the keys is called the private key and the other key is the public key. Information can be encrypted using the public key and decrypted through the private key. The receiver must share its public key with the sender. The sender then encrypts the message using the public key & receiver uses the private key to decrypt it. To ensure that no one on the network modifies the message, HTTPs uses Message Authentication Code (MAC).
Message Authentication Code: An extra piece of information known as MAC is sent along with the message to ensure message authentication. The sender uses Symmetric-key and the message to generate the MAC. Once the receiver receives the message, it will use the same symmetric-key & extracted message to generate a MAC. Further, the receiver will compare the MAC sent by the sender and the one it generated. If there is a mismatch, then it means the message got tampered mid-way. Following diagram illustrates the process of generating & verifying MAC.
As discussed before, the browser also needs to validate the identity of the website. In the internet world, identification means that the site client is visiting is indeed the one it thinks it is. HTTPs uses SSL certificates for identification. These SSL certificates are issued by Certificate Authorities or CAs and have validity. Let’s see who is a Certificate Authority & how it works.
- Certificate Authority: These are third party organizations who issue certificates to different websites. They confirm the identity of the certificate owner & provide proof that a certificate is valid. All https websites have certificates. You can click the lock icon in the address bar to view the CA who has issued the certificate. Let’s see for medium.com who is the Certificate Authority.
It can be seen from above that connection to medium.com is secure. DigiCert is the certificate authority who has provided certificates to this website. You can find information about medium.com and also the Issuer (DigiCert) in the above image.
Conclusion
You have learnt about the working of HTTP, disadvantages of HTTP and basic building blocks of HTTPs.
In the next article, we will dive deep & see how HTTPs leverages these blocks to make the client-server communication secure.
References
Wikipedia-HTTPS How SSL Works Images- AirIndia.com HTTPS image-Image Link
原文:https://medium.com/@animeshgaitonde/how-https-works-part-1-building-blocks-64f9915b1f39
- 加微信實戰群請加微信(註明:實戰群):gocnio
相關文章
- 使用Go構建區塊鏈 第1部分:基本原型Go區塊鏈原型
- how tomcat works(第18章:部署器)Tomcat
- 在Go中構建區塊鏈 第4部分:交易1Go區塊鏈
- How Python list works?Python
- HTTPS基礎原理和配置 - 1HTTP
- 遊戲音訊存檔 | 第 1 部分:基本情況遊戲音訊
- 2.3.3.3.1 How an Application Upgrade WorksAPP
- https://bbs.elecfans.com/jishu_2386778_1_1.htmlHTTPHTML
- 呼叫https介面時報錯:PKIX path building failed 的問題HTTPUIAI
- How to configure SAP connections with Connection Transmitter Over air_part1MITAI
- How React Works (一)首次渲染React
- how webpack Hot Module Replacement worksWeb
- 使用openSSL構造一個支援https的nodejs伺服器HTTPNodeJS伺服器
- nginx配置ssl加密(單/雙向認證、部分https) – HTTPS SSL 教程Nginx加密HTTP
- SmallerAPK,第1部分:APK的剖析APK
- 第1節:GTID的基本概念
- 如何構建一個多人(.io) Web 遊戲,第 1 部分Web遊戲
- https構建(基礎)HTTP
- 深入理解http1.x、http 2和httpsHTTP
- Spring 的優秀工具類盤點第 1 部分Spring
- 《Divinuet》的互動音樂系統 – 第 1 部分
- [譯] 創造華麗 UI 的 7 個規則(Part 1)UI
- 《The Rust Programming language》程式碼練習(part 1 基礎部分)Rust
- 1.OpenDaylight基本架構架構
- 用 HTTPS 安全嗎?HTTPS 的原理是啥?HTTP
- 「智造」第1期:鍛造行業智慧製造規劃行業
- mORMot模糊概念--FormatSQL-第1部分ORMSQL
- Webshell-Part1&Part2Webshell
- HTTPS 的故事HTTP
- https的原理HTTP
- httpsHTTP
- Docker 入門(Mac環境)-part 1 入門基本操作DockerMac
- 自動的HTTPS伺服器:HTTPS-PORTALHTTP伺服器
- 29、undo_2_1(事務槽、延遲塊清除、構造CR塊、ora-01555)
- CF構造題1600-1800(1)
- [安全] HTTPS的理解HTTP
- https如何工作的HTTP
- 架構師之路-https底層原理架構HTTP