问题描述
HTTP 具有以下问题:
1)缺乏安全性:HTTP 不具备数据加密和身份验证的功能,因此传输的数据容易被黑客窃取和篡改,可能导致信息泄露和安全风险;
2)易受攻击:HTTP 传输数据时,黑客可以轻松地窃取数据包和会话 ID,从而伪造用户身份,登录用户账户,进行恶意操作和攻击;
3)用户隐私不受保护:HTTP 传输数据时,用户的个人信息和隐私数据容易被窃取和泄露,从而导致身份被盗用和财产损失;
解决方案
HTTPS(Hypertext Transfer Protocol Secure,超文本传输安全协议),也常称为 HTTP over TLS(Hyper Text Transfer Protocol over Transport Layer Security)或 HTTP over SSL(Hyper Text Transfer Protocol over Secure Socket Layer),HTTP Secure,是以安全为目标的 HTTP 通道,简单讲是 HTTP 的安全版。HTTPS 通过 HTTP 进行通信,并使用 SSL/TLS 来加密数据;
HTTPS 证书是一种数字证书,用于保护网站和应用程序的安全性;
原理简述
它通过加密通信的方式来保护用户的隐私和敏感信息,如用户名、密码、信用卡号等;
HTTPS 证书通常由第三方认证机构(CA)颁发,证明了网站或应用程序的身份,确保用户与其交互的是合法的实体,并且保证数据传输的完整性和机密性;
HTTPS 在 HTTP 的基础下加入 SSL/TLS 层,是使用 SSL/TLS 加密的 HTTP 协议;
/Layer_7_-_Application_Layer/HTTPS,_HTTP_over_TLS/pasted_image.png)
特性特征
HTTP 协议采用明文传输信息,存在信息窃听、信息篡改和信息劫持的风险,而协议 TLS 具有身份验证、信息加密和完整性校验的功能,可以避免此类问题发生;
数据传输安全性更高:HTTPS 使用 SSL/TLS 协议对数据进行加密,可以防止数据被窃听和篡改,确保数据传输的安全性;
用户隐私保护更好:HTTPS 使用 SSL/TLS 协议对数据进行加密,可以防止敏感信息被截获和泄露,保护用户的隐私;
增强网站可信度:HTTPS 使用 SSL/TLS 协议进行认证,可以证明网站的身份和合法性,增强网站的可信度;
支持 HTTP/2 协议:HTTPS 支持 HTTP/2 协议,可以提高网站的性能和速度,加快网页加载速度;
应用场景
网上购物:HTTPS 可以加密用户的信用卡信息和其他敏感信息,提高用户的支付安全性;
网上银行:HTTPS 可以保证用户的银行账户信息不会被盗取,提高用户的资金安全性;
社交网络:HTTPS 可以保护用户的个人信息不被黑客窃取,提高用户的隐私保护;
搜索引擎:HTTPS 可以保护用户的搜索历史和关键词不被第三方获取,提高用户的隐私保护;
电子邮件:HTTPS 可以保护用户的邮件内容和附件不被黑客窃取,提高用户的隐私保护;
医疗保健:HTTPS 可以保护用户的医疗信息不被黑客窃取,提高用户的隐私保护;
政企网站:HTTPS 可以保护用户的登录信息和其他敏感信息不被黑客窃取,提高用户的安全性;
在线教育:HTTPS 可以保护学生的个人信息和学习记录不被黑客窃取,提高学生的隐私保护;
客户端与服务端之间的 HTTPS 交互流程
命令curl --trace /tmp/trace https://k4nz.com会将请求 HTTPS 站点 k4nz.com 的追踪信息输出到/tmp/trace文件中。该文件很好地诠释了如下图示:
/Layer_7_-_Application_Layer/HTTPS,_HTTP_over_TLS/seqdiagram.png)
为了便于解释问题,对原有的输出作出如下改动:
- 为了使流程清晰,对输出进行了段落化;
- 限于篇幅,报文的数据部分只保留了首尾行,省略了中间部分,并对省略内容进行了说明;
交互流程如下:
== Info: Rebuilt URL to: https://k4nz.com/ == Info: Trying 115.159.122.157... == Info: TCP_NODELAY set == Info: Connected to k4nz.com (115.159.122.157) port 443 (#0) == Info: ALPN, offering h2 == Info: ALPN, offering http/1.1 == Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH == Info: successfully set certificate verify locations: == Info: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs == Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
#1 Client Hello( Client => Server )
客户端发送 Hello 报文、TLS 版本号:
=> Send SSL data, 5 bytes (0x5) 0000: 16 03 01 02 00 ..... == Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
时间戳、随机值、会话 ID、加密套件、服务器名扩展:
=> Send SSL data, 512 bytes (0x200) 0000: 01 00 01 fc 03 03 cf 2c b0 28 fc 93 93 f0 1a da .......,.(...... 0010: c5 11 1f 6f 06 b1 f8 84 87 a5 64 25 79 d5 72 b2 ...o......d%y.r. 0020: 05 42 8b 4f c9 fa 00 00 8c c0 30 c0 2c c0 28 c0 .B.O......0.,.(. 0030: 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 $.............k. 0040: 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 j.i.h.9.8.7.6... 0050: 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 ......2...*.&... 0060: 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 ....=.5.../.+.'. 0070: 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 #.............g. 0080: 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 @.?.>.3.2.1.0... 0090: 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 ......E.D.C.B.1. 00a0: 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 -.).%.......<./. 00b0: 96 00 41 00 ff 01 00 01 47 00 00 00 0d 00 0b 00 ..A.....G....... 00c0: 00 08 6b 34 6e 7a 2e 63 6f 6d 00 0b 00 04 03 00 ..k4nz.com...... 00d0: 01 02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b ................ 00e0: 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 ................ 00f0: 00 0a 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 ..... .......... 0100: 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 ................ 0110: 02 01 02 02 02 03 00 0f 00 01 01 33 74 00 00 00 ...........3t... 0120: 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 2e ......h2.http/1. 0130: 31 00 15 00 cb 00 00 00 00 00 00 00 00 00 00 00 1............... 0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
#2 Server Hello( Client <= Server )
服务端的 Hello 报文、TLS 版本号:
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 6b ....k == Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
服务器时间、随机数、会话 ID、服务器选择的加密方法:
<= Recv SSL data, 107 bytes (0x6b) 0000: 02 00 00 67 03 03 0c f4 1d 2d bc 93 e5 b9 df f3 ...g.....-...... 0010: 3a 24 33 1e 73 6d d7 58 5b 7d 9b e6 07 c7 cf 82 :$3.sm.X[}...... 0020: 0f 30 e4 f8 fd b1 20 cb a4 6d 75 05 3c 49 fc 61 .0.... ..mu.<I.a 0030: f2 fc 80 1e 04 84 9a 82 5d 88 1a 0e 80 7a ba 64 ........]....z.d 0040: aa a2 e9 d1 20 d4 09 c0 2f 00 00 1f ff 01 00 01 .... .../....... 0050: 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 33 74 ..............3t 0060: 00 09 08 68 74 74 70 2f 31 2e 31 ...http/1.1 == Info: NPN, negotiated HTTP1.1 <= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 0a 4e ....N == Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
服务器的证书信息:
<= Recv SSL data, 2638 bytes (0xa4e) 0000: 0b 00 0a 4a 00 0a 47 00 05 8f 30 82 05 8b 30 82 ...J..G...0...0. # ......(省略部分数据) 0a40: 78 ca 3a 5d 15 3d 07 89 f9 57 22 58 46 61 x.:].=...W"XFa
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 01 4d ....M == Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
<= Recv SSL data, 333 bytes (0x14d)
0000: 0c 00 01 49 03 00 17 41 04 51 c7 9d 0d 4c 13 88 ...I...A.Q...L..
0010: d6 86 6f 7b 99 19 8c 73 fe 03 d8 49 50 55 52 f9 ..o{...s...IPUR.
0020: 60 68 70 50 5b b0 db 42 16 d5 23 16 89 88 e9 20 `hpP[..B..#....
0030: 6d 99 95 46 8f 55 c0 96 38 55 56 9b be d6 bf 86 m..F.U..8UV.....
0040: 9f 87 57 49 e8 d0 63 e3 a7 06 01 01 00 8a b8 9b ..WI..c.........
0050: 12 87 4c 05 c1 48 f4 86 fb f3 19 b3 79 1f 40 1a ..L..H......y.@.
0060: 6b 4e 8e 5a 6a a2 77 3a d4 7f 9e 2a 21 f3 08 dd kN.Zj.w:..*!...
0070: ed a4 c6 85 40 6d af c4 3e d5 c6 84 67 d0 a8 b6 ....@m..>...g...
0080: 10 dc 8e ec 21 ea 6d 45 48 45 95 ba ec 0c ab 9d ....!.mEHE......
0090: 8a e3 f1 25 db 1d d1 22 20 d5 0c 50 19 29 3e c7 ...%..." ..P.)>.
00a0: c8 6e 5b 29 0a 72 ba f7 c1 6e 4f b8 eb 48 28 98 .n[).r...nO..H(.
00b0: 34 7e 86 c2 2f 80 bd 67 84 3a fd 15 14 14 c5 f2 4~../..g.:......
00c0: 13 09 88 0d ba 7e 07 0b fd ec 59 60 35 58 28 e2 .....~....Y`5X(.
00d0: a7 4b 49 bd 5c 24 e5 bc df e3 53 24 b1 c8 63 e3 .KI.\$....S$..c.
00e0: cb 7a db ef 82 00 8f e6 38 98 ad 1f b2 14 5f 2e .z......8....._.
00f0: 94 7c c3 84 bf 47 17 3a fe dd 52 78 2f a7 cc 55 .|...G.:..Rx/..U
0100: 55 12 32 38 08 20 1e bd c3 5d b1 71 2f 6a 15 f7 U.28. ...].q/j..
0110: 4b 58 d5 db 26 40 a4 b3 c0 dc 08 da 31 a7 3d 14 KX..&@......1.=.
0120: 69 e9 42 53 df 05 af 84 3a a1 90 4f 85 d8 d7 f0 i.BS....:..O....
0130: 62 aa 7d 04 fc 2f e1 c6 ca 6b 69 a2 f6 32 7b 17 b.}../...ki..2{.
0140: 9d ae b4 6a 44 c7 38 da d2 25 12 0d 38 ...jD.8..%..8
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 04 ..... == Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
服务端的 Hello 结束:
<= Recv SSL data, 4 bytes (0x4) 0000: 0e 00 00 00 ....
#3 Client Key Exchange( Client => Server )
=> Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 46 ....F == Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
=> Send SSL data, 70 bytes (0x46) 0000: 10 00 00 42 41 04 4b 39 88 7c ce 41 00 37 2a 29 ...BA.K9.|.A.7*) 0010: 23 f0 18 9e ab 75 97 53 2c 91 fb ed 44 11 6d e8 #....u.S,...D.m. 0020: 50 22 b4 5c 45 4f 7a 1c 75 d0 c4 f7 ed cc 65 7e P".\EOz.u.....e~ 0030: 26 58 89 97 e1 0c d4 11 0f 04 5d 05 39 46 58 65 &X........].9FXe 0040: f4 b8 d4 39 22 6b ...9"k
#4 Change Cipher Spec( Client => Server )
=> Send SSL data, 5 bytes (0x5) 0000: 14 03 03 00 01 ..... == Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
=> Send SSL data, 1 bytes (0x1) 0000: 01 . => Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 3c ....< == Info: TLSv1.2 (OUT), TLS handshake, Unknown (67):
=> Send SSL data, 36 bytes (0x24) 0000: 43 00 00 20 08 68 74 74 70 2f 31 2e 31 16 00 00 C.. .http/1.1... 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 00 00 .... => Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 28 ....( == Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10) 0000: 14 00 00 0c a8 40 f5 02 d3 65 af f4 ca 3a e6 ee .....@...e...:..
#5 Change Cipher Spec( Client <= Server )
<= Recv SSL data, 5 bytes (0x5) 0000: 14 03 03 00 01 ..... == Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1) 0000: 01 . <= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 28 ....( == Info: TLSv1.2 (IN), TLS handshake, Finished (20): <= Recv SSL data, 16 bytes (0x10) 0000: 14 00 00 0c 6f 31 df 33 f3 eb 21 34 b0 03 2e 8c ....o1.3..!4....
== Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 == Info: ALPN, server did not agree to a protocol == Info: Server certificate: == Info: subject: CN=k4nz.com == Info: start date: Apr 12 00:00:00 2018 GMT == Info: expire date: Apr 12 12:00:00 2019 GMT == Info: subjectAltName: host "k4nz.com" matched cert's "k4nz.com" == Info: issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA == Info: SSL certificate verify ok.
=> Send SSL data, 5 bytes (0x5) 0000: 17 03 03 00 60 ....`
# Application Data Encrypted( Client <=> Server )
=> Send header, 72 bytes (0x48) 0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1.. # ......(省略部分 HTTP 数据) 26f0: 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a .</html>...0.... == Info: Curl_http_done: called premature == 0 == Info: Connection #0 to host k4nz.com left intact
注意事项
Secure HTTP(S-HTTP)并不是 HTTPS,有关 S-HTTP 的内容参考「RFC2660」;
RFC 2818: HTTP Over TLS
RFC 5246: The Transport Layer Security Protocol 1.2
RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
参考文献
「https 原理通俗了解」、「也许,这样理解 HTTPS 更容易」
Wikipedia/HTTPS
The First Few Milliseconds of an HTTPS Connection