what is HTTPS
HTTPS = HTTP + TSL
Hypertext Transfer Protocol Secure (
HTTPS) is a
communications protocol for
secure communication over a
computer network, with especially wide
deployment on the
Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply
layering the
Hypertext Transfer Protocol (HTTP) on top of the
SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to prevent
wiretapping and
man-in-the-middle attacks.
TLS (Transport Layer Security)
Transport Layer Security (
TLS) and its predecessor,
Secure Sockets Layer (
SSL), are
cryptographic protocols designed to provide communication
security over the
Internet.
[1] They use
X.509 certificates and hence
asymmetric cryptography to
authenticate the counterparty with whom they are communicating, and to exchange a
symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and
message authentication codes for message integrity and as a by-product, message authentication.
TLS handshaking procedure
1. Client sends hello message to server
2. Server sends hello message and certificate (public key is in certificate) to client
3. Client authenticate server's certificate by checking if received certificate subject name actually matches the name of server being contacted, if the issuer of the certificate is a trusted
certificate authority (e.g. VeriSign/Microsoft/etc. which are pre-installed in browser)
4. Using all data generated in the handshake thus far, client creates the shared session key and encrypts it with server's public key, and then sends the encrypted session key to server
5. The client sends a message to server informing it that future messages from client will be encrypted with the session key, it then sends a separate message (encrypted) indicating that the client portion of handshake is finished.
6. The server does the same to client
How can i trust you
CA - Certificate Authority
CA is an entity that issues
digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate and it is a
trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.
CA Providers
- Symantec (which bought VeriSign's SSL interests and owns Thawte and Geotrust) with 38.1% market share
- Comodo Group with 29.1%
- Go Daddy with 13.4%
- GlobalSign with 10%
Java HTTPS support
Use HttpsURLConnection
Use Apache AHC (Asynchronous Http Client)
参考:
