- What is https?
Now, please look at the address bar of your browser. You will see a green lock or a similar security symbol, which means that my blog has added https to ensure the security of data transmission~
So, what is https?
HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is a secure version of HTTP, with security as its goal.
Source: Baidu Baike
Simply put, https ensures that the content presented to you on this website has not been tampered with.
A Little Story#
However, https is not completely secure. I saw a story on Zhihu (a Chinese Q&A platform): (Italicized comments are added by the author)
Once upon a time, there was a temple on the mountain, and there was a monk in the temple... Stop fooling around, the old monk is here.
The young monk asked the old monk: Why does SSL make HTTP secure?
The old monk replied: For example, you and I have the same password. When I send a message to you, I encrypt it with this password. When you receive the message, you decrypt it with this password, and you can know the content of my message. Other people who secretly obtain the message can only sigh because they don't know the password. This password is called a symmetric password. SSL uses symmetric passwords to encrypt and decrypt HTTP content, making HTTP secure. The commonly used encryption algorithms are 3DES and AES.
The young monk touched his head and asked the old monk: Master, if we both choose "monk" as the password and create a monk algorithm, wouldn't our communication be worry-free?
The old monk gave the young monk a ruler on the head: Then how am I supposed to write a love letter to the little flower at the foot of the mountain? Do I have to use the password "monk"? After thinking for a moment, the old monk gave the young monk another ruler: Although we are monks, not programmers, we can't reinvent the wheel. In the past, a group of talented programmers created the security algorithm WEP for Wifi, but later found out that it was a decorative pillow, which became a joke in the security community. Besides, the little flower only knows about 3DES and AES. How would she know about the monk algorithm?
The young monk asked: What should we do then?
The old monk said: As long as you and I know the password for each message, we can read each other's encrypted letters. The key is how we can know this symmetric password between us. If I write the password in a letter to her and the letter is stolen, then everyone will know our password and be able to understand our love letters. However, there is a solution. Here, I use the secret asymmetric password passed down in the martial arts world. I now have two passwords in my hand, one is called "public key" and the other is called "private key". The public key is published in the martial arts world, and many people know it, but only I know the private key. These two keys are mathematically related, which means that a message encrypted with the public key can be decrypted with the private key, but it cannot be decrypted with the public key. The little flower knows the public key. Every time she writes a letter to me, she encrypts her symmetric password with my public key, writes a separate password paper, and then encrypts her letter with her symmetric password. In this way, I can decrypt this symmetric password with my private key and then use this symmetric password to decrypt her letter.
This encryption method is called generating a self-signed certificate. This method is not completely secure and is manifested as a red https with a strikethrough in the Chrome address bar.
The old monk paused: Unfortunately, she always uses symmetric passwords like "Why does the monk write love letters", so every time I decrypt the password paper, I am always disappointed. In fact, the symmetric passwords I prefer are things like "wind and flowers" or "snow and moon". The most troublesome thing is that I have to use the password "Why does the monk write love letters" to encrypt the love letters I write back to the little flower. The most painful thing in the world is this. But little did I know that someone else was even more miserable. Zhang the butcher at the foot of the mountain has been secretly in love with the little flower for many years. Seeing our love letters, he felt uncomfortable and took the initiative to replace the pilgrims and deliver letters to us. The first time he delivered a letter to the little flower, he gave her his own public key, falsely claiming that it was my updated public key. The little flower believed it, and all subsequent password papers were encrypted with Zhang's public key. After Zhang received the reply, he decrypted the little flower's symmetric password with his private key, and not only could he see the content of the little flower's letter, but he could also forge letters from the little flower to me. He could also encrypt letters to the little flower with his private key. Gradually, I noticed that the letters had changed. Although I was suspicious, I had no concrete evidence. Once I wrote a letter asking the little flower about the first symmetric password she used, and "Why does the monk write love letters" was listed in the reply. So my doubts were slightly relieved. It wasn't until I went to visit the old abbot of Shaolin Temple on Song Mountain that I realized that because my public key didn't have a fire seal, anyone could forge a public key claiming to be mine. In this way, this person could read the letters written to me by others, forge letters written to me by others, and read my replies. This kind of martial arts skill is called a "Man-in-the-middle attack". The only solution is to use the fire seal of Shaolin Temple (a certificate issued by a CA organization). This fire seal is quite exquisite. I need to submit my public key and my position in the martial arts world to the 18 Arhats Committee. They will use the committee's private key to digitally sign the information, and the signed information will be highlighted on the fire seal. The authenticity of the public key with the fire seal is unquestionable in the martial arts world. You should know that no one dares to offend the 18 Arhats.
The young monk asked: What happened next?
The old monk said: When I returned to the temple from Shaolin Temple on Song Mountain, I personally delivered the public key with the fire seal to the little flower. But after that, I never received any letters from her. It wasn't until a year later that I found out that the little flower had indeed written letters to me. At that time, the letters were indeed encrypted with the public key with the fire seal. After Zhang received the letters, because he didn't know my private key, he couldn't decrypt the little flower's password. So he burned all the letters in anger. Also, because Zhang couldn't know the little flower's symmetric password and couldn't reply to her, after sending a few letters, the little flower's letters disappeared. She also became suspicious and asked around about my situation. Zhang became anxious. He used my published public key and sent me a letter in the tone of the little flower. When I received the letter, I felt strange. Why did the letter smell like lard? And at the end, it asked about my private key with concern. Knowing that it was a trap, I thought about finding a way to confirm whether the letter was really written by the little flower. Later, I came up with a solution...
The old monk touched his bald head and said: I didn't lose my hair for nothing. I asked a pilgrim to pass a message to the little flower, telling her that I was fine and hoping that she would have her own happiness, or rather, a pair of asymmetric keys. After the little flower entrusted the Little Town Beauty Association to put a fire seal on her public key, she asked the pilgrim to deliver it to me. So every time the little flower writes a letter to me, she will stick a small peony on the password paper. On the peony, she writes a message encrypted with her own private key. In this way, when I receive a letter claiming to be from the little flower, I will first take out the password paper, remove the peony, and use the little flower's public key to decrypt this message. If I can't decrypt it, I will directly throw away the entire letter along with the password paper, because it must not have been written by the little flower. If I can decrypt it, then I can be sure that the letter is from the little flower, and I will carefully decode and read it.
The young monk said: No wonder I heard that Zhang the butcher was driven to death. Your love letters are so complicated that it gives me a headache. When I grow up, if I have something to say, I'll just shout it out to the people below the mountain, so I don't have to go through all this trouble. But I do understand what you said earlier. The SSL handshake phase is indeed troublesome with the fire seal, peony reading, and password paper decryption. Once both parties know the symmetric password, the decoding and reading stage is relatively smooth and much easier.
Edited on 2014-04-28
All rights reserved by the author.
Source: How much more server resources does HTTPS use compared to HTTP? Answer by Mu Xudong
However, not all certificates issued by CA organizations are trustworthy, for example:
Chrome cancels trust in Chinese WoSign SSL certificates for violating multiple certificate authority requirements
In September 2016, Mozilla exposed WoSign's forgery of certificate issuance dates and concealment of acquisitions, and announced the suspension of trust in certificates issued by the organization. Apple and Google followed suit. Recently, Google announced that after releasing a new version in September, its Chrome browser will cancel trust in all certificates issued by WoSign and its acquisition StartCom, regardless of whether they are new or old. It is recommended that websites currently using these digital certificates consider replacing them.