The basic principles and functions of HTTPS
HTTPS is the secure version of HTTP, protecting the security of data transmission through encryption and authentication mechanisms. It addresses the flaw of plaintext transmission in HTTP, preventing data from being stolen or tampered with, and is widely used in sensitive operations such as logins and payments.
The Core of HTTPS: SSL/TLS Protocol
The security foundation of HTTPS is the SSL/TLS protocol, which establishes an encrypted channel between the transport layer and the application layer. TLS is an upgraded version of SSL, with TLS 1.2/1.3 being the mainstream versions today. The handshake process includes the following key steps:
- Client Hello: The browser sends a list of supported cipher suites and a random number.
- Server Hello: The server selects a cipher suite and returns a digital certificate and a random number.
- Key Exchange: The session key is negotiated through asymmetric encryption.
- Encrypted Communication: Subsequent data transmission uses symmetric encryption.
// Node.js example: Creating an HTTPS server
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.crt')
};
https.createServer(options, (req, res) => {
res.writeHead(200);
res.end('Secure Connection Established');
}).listen(443);
Encryption Mechanisms Explained
Asymmetric Encryption
The handshake phase uses RSA or ECC algorithms, typical scenarios include:
- The server decrypts the pre-master key sent by the client using its private key.
- The client encrypts the pre-master key using the public key from the certificate.
- ECDHE key exchange achieves forward secrecy.
Symmetric Encryption
The communication phase uses AES or ChaCha20 algorithms, with the following characteristics:
- AES-256-GCM provides both encryption and integrity verification.
- The session key is regenerated for each connection.
- Encryption performance is 1000x faster than asymmetric encryption.
// Browser-side encryption example (Web Crypto API)
const encryptData = async (data, key) => {
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv },
key,
new TextEncoder().encode(data)
);
return { iv, encrypted };
};
Certificates and Authentication
Certificate Chain Verification
Browser certificate verification includes:
- Checking domain name matching (SAN extension).
- Verifying the signature chain up to a trusted root certificate.
- Ensuring the certificate is not expired.
- Checking CRL/OCSP revocation status.
Certificate Type Comparison
| Type | Validation Level | Issuance Speed | Use Case |
|---|---|---|---|
| DV | Domain Validation | Minutes | Personal blogs |
| OV | Organization Validation | Days | Corporate websites |
| EV | Extended Validation | Weeks | Banking/Payment sites |
Performance Optimization Practices
TLS 1.3 Improvements
- Handshake time reduced from 2RTT to 1RTT.
- Forward secrecy enabled by default.
- Insecure cipher suites removed.
Best Configuration Example
# Nginx configuration example
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
Mixed Content Issues
Modern browsers block mixed content:
- Passive content (images/videos) triggers warnings.
- Active content (scripts/XHR) is directly blocked.
Fix solutions:
<!-- Replace HTTP resources with HTTPS -->
<script src="https://cdn.example.com/jquery.js"></script>
<!-- Or use protocol-relative URLs -->
<img src="//static.example.com/logo.png" alt="">
Development Debugging Tips
Chrome security debugging features:
- Click the lock icon in the address bar to view certificate details.
- Use the Security panel to inspect HTTPS issues.
- Enable
chrome://flags/#allow-insecure-localhostfor local testing.
# Local development certificate generation
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
Real-World Attack Protection Cases
MitM Attack Defense
- Certificate pinning (HPKP alternative).
- CAA records to control certificate issuance.
- Strict Transport Security header (HSTS).
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Downgrade Attack Protection
- TLS_FALLBACK_SCSV mechanism.
- Disabling SSLv3 on servers.
- Implementing HSTS preload lists.
Mobile-Specific Considerations
Android 7+ introduces network security configuration:
<!-- res/xml/network_security_config.xml -->
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">example.com</domain>
</domain-config>
</network-security-config>
iOS requires ATS configuration:
<!-- Info.plist -->
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
Future Trends
- QUIC protocol standardization (HTTP/3).
- Post-quantum cryptography migration.
- Automated certificate management (ACME protocol).
- mTLS applications in zero-trust architectures.
本站部分内容来自互联网,一切版权均归源网站或源作者所有。
如果侵犯了你的权益请来信告知我们删除。邮箱:cc@cccx.cn
