what is HTTPS
HTTPS = HTTP + TSL
Hypertext Transfer Protocol Secure (HTTPS) is acommunications protocol forsecure
communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simplylayering theHypertext
Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to preventwiretapping
and man-in-the-middle attacks.
communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simplylayering theHypertext
Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to preventwiretapping
and man-in-the-middle attacks.
TLS (Transport Layer Security)
Transport Layer Security (TLS) and its predecessor,Secure Sockets Layer (SSL), arecryptographic
protocols designed to provide communication security over the Internet.[1] They useX.509
certificates and henceasymmetric cryptography toauthenticate
the counterparty with whom they are communicating, and to exchange asymmetric key. This session key is then used to encrypt
data flowing between the parties. This allows for data/message confidentiality, andmessage authentication codes for message
integrity and as a by-product, message authentication.
protocols designed to provide communication security over the Internet.[1] They useX.509
certificates and henceasymmetric cryptography toauthenticate
the counterparty with whom they are communicating, and to exchange asymmetric key. This session key is then used to encrypt
data flowing between the parties. This allows for data/message confidentiality, andmessage authentication codes for message
integrity and as a by-product, message authentication.
TLS handshaking procedure
1. Client sends hello message to server
2. Server sends hello message and certificate (public key is in certificate) to client
3. Client authenticate server's certificate by checking if received certificate subject name actually matches the name of server being contacted, if the issuer of the certificate is a trustedcertificate
authority (e.g. VeriSign/Microsoft/etc. which are pre-installed in browser)
authority (e.g. VeriSign/Microsoft/etc. which are pre-installed in browser)
4. Using all data generated in the handshake thus far, client creates the shared session key and encrypts it with server's public key, and then sends the encrypted session key to server
5. The client sends a message to server informing it that future messages from client will be encrypted with the session key, it then sends a separate message (encrypted) indicating that the client portion of handshake is finished.
6. The server does the same to client
How can i trust you
CA - Certificate Authority
CA is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate and it is a
trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.
trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.
CA Providers
-
Symantec (which bought
VeriSign's SSL interests and owns Thawte and Geotrust) with 38.1% market share - Comodo Group with 29.1%
- Go Daddy with 13.4%
- GlobalSign with 10%
Java HTTPS support
Use HttpsURLConnection
Use Apache AHC (Asynchronous Http Client)
参考:
版权声明:本文为博主原创文章,未经博主允许不得转载。