|
Wedge Rumor Crusher released a few days ago "Will Internet access with public WiFi endanger the security of bank accounts? The article introduces some situations in the use of HTTPS for network encrypted transmission, and judging from the reply, there are still disputes. As the Internet becomes more and more popular, the application is becoming more and more widespread, and some network security issues will also attract more and more attention from netizens, here we will talk about TLS/SSL, which is what we often call HTTPS, from the principle to the actual application to see what it is, and what problems to pay attention to when using HTTPS and related security techniques. Cybersecurity is a holistic event that involves the security of personal computers, protocols, data transmission, and software development companies and websites. I hope that by explaining security-related issues little by little in the future, more people can understand network security, so that they can use the network more safely. The article will be long, and it is planned to be divided into three parts for the time being: The first part mainly describes the principle of HTTPS; The second part mainly describes the process of SSL certificate verification and some precautions for use. The third part presents some instances of HTTPS attacks. 1. What is HTTPS?Before talking about HTTPS, let's talk about what HTTP is, which is a protocol we usually use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, that is, in plaintext, so it is very insecure to transmit private information using the HTTP protocol. In order to ensure that these private data can be encrypted and transmitted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, thus giving birth to HTTPS. The current version of SSL is 3.0, which is defined in RFC 6101 by the IETF (Internet Engineering Task Force), and then the IETF upgraded SSL 3.0, resulting in TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, our current HTTPS is the TLS protocol, but because SSL appeared relatively early, and is still supported by current browsers, SSL is still synonymous with HTTPS, but whether it is TLS or SSL is a thing of the last century, the last version of SSL is 3.0, and TLS will continue to provide encryption services for us in the future. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used yet. For those interested in history, you can refer to the http://en.wikipedia.org/wiki/Transport_Layer_Security, which has a detailed description of TLS/SSL.
2. Is HTTPS secure?The answer is yes, it's safe. In the coming weeks, Google will enable HTTPS for all local domains around the world, users only need to log in with their Google account before searching, and all search operations will be encrypted using the TLS protocol, see: http://thenextweb.com/google/2012/03/05/google-calls-for-a-more-secure-web-expands-ssl-encryption-to-local-domains/。
3. How HTTPS worksHTTPS requires a handshake between the client (browser) and the server (website) before transmitting data, and the password information of both parties will be established during the handshake process. The TLS/SSL protocol is not just a set of encrypted transmission protocols, but also a work of art carefully designed by artists, using asymmetric encryption, symmetric encryption, and HASH algorithms. A simple description of the handshake process is as follows:
- The browser sends a set of encryption rules that it supports to the website.
- The website selects a set of encryption algorithms and HASH algorithms from them and sends its identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encryption public key, and the certificate's issuer.
- After obtaining a website certificate, the browser does the following:
- Verify the legitimacy of the certificate (whether the authority issuing the certificate is legitimate, whether the website address contained in the certificate is the same as the address being visited, etc.), if the certificate is trusted, a small lock will be displayed in the browser bar, otherwise a prompt will be given that the certificate is not trusted.
- If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
- The handshake message is calculated using the agreed HASH, and the message is encrypted with the generated random number, and finally all the previously generated information is sent to the website.
4. After receiving the data from the browser, the website does the following: - Use your own private key to decrypt the password, use the password to decrypt the handshake message sent by the browser, and verify that the HASH is the same as the one sent by the browser.
- A handshake message is encrypted with a password and sent to the browser.
5. The browser decrypts and calculates the HASH of the handshake message, if it is consistent with the HASH sent by the server, the handshake process ends, and then all communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.
Here, the browser and the website send an encrypted handshake message to each other and verify, in order to ensure that both parties have obtained the same password, and can encrypt and decrypt the data normally, and do a test for the subsequent transmission of real data. In addition, the encryption and HASH algorithms commonly used by HTTPS are as follows: - Asymmetric encryption algorithms: RSA, DSA/DSS
- Symmetric encryption algorithms: AES, RC4, 3DES
- HASH algorithm: MD5, SHA1, SHA256
Among them, the asymmetric encryption algorithm is used to encrypt the generated password during the handshake process, the symmetric encryption algorithm is used to encrypt the real transmitted data, and the HASH algorithm is used to verify the integrity of the data. Since the password generated by the browser is the key to the encryption of the entire data, it is encrypted using an asymmetric encryption algorithm during transmission. The asymmetric encryption algorithm will generate public and private keys, public keys can only be used to encrypt data, so they can be transmitted at will, and the private keys of the website are used to decrypt the data, so the website will keep its private key very carefully to prevent leakage. Any error during the TLS handshake process can break the encrypted connection, preventing the transmission of private information. It is precisely because HTTPS is very secure that attackers cannot find a place to start, so they use fake certificates to deceive clients to obtain plaintext information, but these methods can be identified, which I will talk about in a subsequent article. However, in 2010, security experts discovered a vulnerability in the handling of the TLS 1.0 protocol: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, in fact, this attack method called BEAST was discovered by security experts as early as 2002, but it was not made public. Microsoft and Google have fixed this vulnerability. See: http://support.microsoft.com/kb/2643584/en-us https://src.chromium.org/viewvc/chrome?view=rev&revision=90643 The simplified version of HTTPS also works in Symmetric Encryption vs. Asymmetric Encryption. |
Posted on 12/24/2015 10:56:18 AM
|
|
|
Landlord|
Posted on 4/19/2018 11:09:21 AM
|
