1、基本概念
1.1 HTTP
1.1.1 HTTP(HyperText Transfer Protocol:超文本传输协议)的基本概念
① HTTP是一种用于分布式、协作式和超媒体信息系统的应用层协议。 简单来说就是一种发布和接收 HTML 页面的方法,被用于在 Web 浏览器和网站服务器之间传递信息。
② HTTP 默认工作在 TCP 协议 80 端口,用户访问网站 http:// 打头的都是标准 HTTP 服务。
③ HTTP 协议以明文方式发送内容,不提供任何方式的数据加密,如果攻击者截取了Web浏览器和网站服务器之间的传输报文,就可以直接读懂其中的信息,因此,HTTP协议不适合传输一些敏感信息,比如:信用卡号、密码等支付信息。
1.1.2 What is HTTP?
① HTTP (Hypertext Transfer Protocol) is the foundation of any data exchange on the World Wide Web. It provides a set of rules and standards that control how any information can transfer on the World Wide Web.
(HTTP(超文本传输??协议)是万维网上任何数据交换的基础。它提供了一套规则和标准来控制任何信息如何在万维网上传输。)
② HTTP is an application layer protocol in the Internet protocol suite model (TCP/IP). It is a client-server protocol that enables web browsers and web servers to communicate. When a user makes an HTTP request on the browser, the server sends the requested data to the user in the form of web pages.
(HTTP 是 Internet 协议套件模型 (TCP/IP) 中的应用层协议。它是一种客户端-服务器协议,使 Web 浏览器和 Web 服务器能够进行通信。当用户在浏览器上发出 HTTP 请求时,服务器将请求的数据以网页的形式发送给用户。)
③HTTP is a stateless protocol. It means that every transaction will be executed separately. On completion of a transaction between the web browser and the server, the connection gets lost.
(HTTP 是一种无状态协议。这意味着每笔交易都将单独执行。Web 浏览器和服务器之间的事务完成后,连接就会丢失。)
1.1.3 HTTP Request/Response
Here is how the communication between clients and servers takes place with HTTP requests and responses:
以下是客户端和服务器之间通过 HTTP 请求和响应进行通信的方式:
● The client (browser) sends an HTTP request to the web
客户端(浏览器)向 Web 发送 HTTP 请求
● A web server will receive the request
Web 服务器将接收请求
● The webserver will run an application to process the request
网络服务器将运行一个应用程序来处理请求
● The server will return an HTTP response to the browser
服务器将向浏览器返回一个 HTTP 响应
● The client will receive the response
客户端将收到响应
1.1.4 HTTP工作原理
1、Client与Server建立连接,单击某个超链接,HTTP的工作开始。
2、连接建立后,Client发送一个请求给Server,请求方式的格式为:统一资源标识符(URL)、协议版本号,后边是MIME信息包括请求修饰符,Client信息和可能的内容。
3、Server接到请求后,给予相应的响应信息,其格式为一个状态行,包括信息的协议版本号、一个成功或错误的代码,后边是MIME信息包括Server信息、实体信息和可能的内容。
4、Client接收Server返回的信息通过浏览器显示在用户的显示屏上,然后Client和Server断开连接。
1.2 HTTPS
1.2.1 HTTPS(Hypertext Transfer Protocol Secure:超文本传输安全协议)的基本概念
HTTPS是一种透过计算机网络进行安全通信的传输协议。HTTPS 经由 HTTP 进行通信,但利用 SSL/TLS 来加密数据包。HTTPS 开发的主要目的,是提供对网站服务器的身份认证,保护交换数据的隐私与完整性。
1.2.2 HTTPS 默认工作在 TCP 协议443端口,它的工作流程一般如以下方式:
1、TCP 三次同步握手
2、客户端验证服务器数字证书
3、DH 算法协商对称加密算法的密钥、hash 算法的密钥
4、SSL 安全加密隧道协商完成
5、网页以加密的方式传输,用协商的对称加密算法和密钥加密,保证数据机密性;用协商的hash算法进行数据完整性保护,保证数据不被篡改。
1.2.3 What is HTTPS?
HTTPS refers to the secure version of HTTP. It establishes a secure connection between client and server. It uses the Transport Layer Security (TLS) security protocol, the successor of the Secure Sockets Layer (SSL) to encrypt the data before transmission. Thus, the data remains safe throughout the connection path.
(HTTPS 是指 HTTP 的安全版本。它在客户端和服务器之间建立安全连接。它使用传输层安全 (TLS) 安全协议(安全套接字层 (SSL) 的继承者)在传输前对数据进行加密。因此,数据在整个连接路径中保持安全。)
1.2.4 The TLS protocol uses an asymmetric public key infrastructure with two keys –
TLS 协议使用具有两个密钥的非对称公钥基础设施—
● Private key: This key decrypts the information that is encrypted by the public key. It is available on the webserver and is managed by the website owner.
私钥:此密钥解密由公钥加密的信息。它在网络服务器上可用,由网站所有者管理。
● Public key: This key converts the data into an encrypted form and is available to everyone.
公钥:此密钥将数据转换为加密形式,可供所有人使用。
1.2.5 HTTPS 原理
1、Client使用HTTPS的URL访问Web服务器,要求与Web服务器建立SSL连接。
2、Web服务器收到客户端请求后,会将网站的证书信息(证书中包含公钥)传送一份给客户端。
3、客户端的浏览器与Web服务器开始协商SSL连接的安全等级,也就是信息加密的等级。
4、客户端的浏览器根据双方同意的安全等级,建立会话密钥,然后利用网站的公钥将会话密钥加密,并传送给网站。
5、Web服务器利用自己的私钥解密出会话密钥。
6、Web服务器利用会话密钥加密与客户端之间的通信。
7、在交换密钥阶段使用公开密钥加密方式,之后建立通信交换报文阶段则使用共享密钥加密方式。
2、HTTP 与 HTTPS 区别
● HTTP 明文传输,数据都是未加密的,安全性较差,HTTPS(SSL+HTTP) 数据传输过程是加密的,安全性较好。
● 使用 HTTPS 协议需要到 CA(Certificate Authority,数字证书认证机构) 申请证书,一般免费证书较少,因而需要一定费用。证书颁发机构如:Symantec、Comodo、GoDaddy 和 GlobalSign 等。
● HTTP 页面响应速度比 HTTPS 快,主要是因为 HTTP 使用 TCP 三次握手建立连接,客户端和服务器需要交换 3 个包,而 HTTPS除了 TCP 的三个包,还要加上 ssl 握手需要的 9 个包,所以一共是 12 个包。
● http 和 https 使用的是完全不同的连接方式,用的端口也不一样,前者是 80,后者是 443。
● HTTPS 其实就是建构在 SSL/TLS 之上的 HTTP 协议,所以,要比较 HTTPS 比 HTTP 要更耗费服务器资源。
2.1.2 What is the Difference Between HTTP and HTTPS?
| HTTP | HTTPS |
|---|---|
| The full form of HTTP is Hypertext Transfer Protocol. | The full form of HTTPS is Hypertext Transfer Protocol Secure. |
| An HTTP URL begins with http:// | An HTTPS URL begins with https:// |
| It uses port number 80. | It sends the data over port number 443. |
| HTTP is an application layer protocol. | HTTPS is a transport layer protocol. |
| Less secure and vulnerable to hacking attacks. | It is highly secure. |
| It does not contain an SSL certificate. | HTTPS contains an SSL certificate. |
| HTTP websites do not use data encryption. | HTTPS websites use data encryption. |
| It is fast. | It is slower than HTTP. |
| HTTP does not help in improving search rankings. | HTTPS provides SEO advantages as Google gives the preferences to websites that use HTTPS. |
2.1.3 Which is Better – HTTP vs HTTPS?
If you want to start a new website, then you can use the HTTPS protocol as it is more secure.
If your website currently uses HTTP, then you can switch to HTTPS. While there are many benefits of HTTPS over HTTP, there are some challenges that we may face if we do not follow the correct procedure to switch from HTTP to HTTPS.
2.1.4 How to Switch from HTTP to HTTPS?
Here are the steps to switch from HTTP to HTTPS:
● Prepare: Moving from HTTP to HTTPS is a big move. Thus, you will need to conduct it when your website is not very busy.
准备:从 HTTP 迁移到 HTTPS 是一个重大举措。 因此,当您的网站不是很忙时,您将需要执行它。
● Purchase and Install an SSL Certificate: You can purchase an SSL certificate from your website host. They can also install and configure it. You will have to decide which of the three certificate types is best suited for your website needs – Domain Validated (DV SSL), Organization Validated (OV SSL), and Extended Validation (EV SSL).
购买和安装 SSL 证书:您可以从您的网站主机购买 SSL 证书。 他们还可以安装和配置它。 您必须决定三种证书类型中的哪一种最适合您的网站需求——域验证 (DV SSL)、组织验证 (OV SSL) 和扩展验证 (EV SSL)。
● Enable HTTPS: Migrating to HTTPS will depend on the size of your website. If your website is huge, then you will have to perform it in phases. Going from subdomains to the most crucial part of your website.
启用 HTTPS:迁移到 HTTPS 将取决于您网站的大小。 如果您的网站很大,那么您将不得不分阶段执行它。 从子域到您网站最关键的部分。
● Once the HTTPS is correctly installed and running, you can access the HTTPS version of your pages.
正确安装并运行 HTTPS 后,您可以访问页面的 HTTPS 版本。
● 301 Redirects From HTTP to HTTPS: 301 redirects will tell the search engine that the site has changed. It needs to be indexed under the new protocols. You can set up 301 redirects to redirect traffic from servers to your new HTTPS protocol automatically if you use a CMS. Otherwise, you will need to do it manually.
从 HTTP 到 HTTPS 的 301 重定向:301 重定向将告诉搜索引擎该站点已更改。 它需要在新协议下被索引。 如果您使用 CMS,您可以设置 301 重定向以将流量从服务器自动重定向到新的 HTTPS 协议。 否则,您将需要手动执行此操作。
2.1.5 Frequently Asked Questions
Q1. What is the full form of HTTP?
Ans. HTTP stands for Hypertext Transfer Protocol. It enables communication between web clients and web servers.
HTTP 代表超文本传输协议。 它支持 Web 客户端和 Web 服务器之间的通信。
Q2. What is the full form of HTTPS?
Ans. HTTPS stands for Hypertext Transfer Protocol Secure. It is a combination of the HTTP and Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocol, enabling us to communicate securely with the webserver.
HTTPS 代表安全的超文本传输协议。 它是 HTTP 和安全套接字层 (SSL)/传输层安全 (TLS) 协议的组合,使我们能够与网络服务器进行安全通信。
Q3. What is the main difference between HTTP and HTTPS?
Ans. The major difference between HTTP and HTTPS is that HTTP does not provide any mechanism to encrypt the data. On the other hand, HTTPS provides SSL or TLS digital certificates to secure the communication between server and client. HTTPS is more secure than HTTP.
HTTP 和 HTTPS 之间的主要区别在于 HTTP 不提供任何加密数据的机制。 另一方面,HTTPS 提供 SSL 或 TLS 数字证书来保护服务器和客户端之间的通信。 HTTPS 比 HTTP 更安全。
Q4. Why HTTP protocol is not safe?
Ans. The HTTP protocol is not safe because it does not encrypt the data on a web page when it is in transit. This data is vulnerable to access by hackers.
HTTP 协议并不安全,因为它不会在网页传输数据时对其进行加密。 这些数据很容易被黑客访问
