Are you sure HTTPS is asymmetric encryption for content encryption? See the answers and reasons

Programmer base 2021-10-14 04:37:26
sure https asymmetric encryption content


HTTPS The reason why the agreement is secure is HTTPS The protocol encrypts the transmitted data , The encryption process is implemented by asymmetric encryption . But in fact ,HTTPS Symmetric encryption is used for encryption of content transmission , Asymmetric encryption only works in the certificate verification phase .


Why is data transmission encrypted symmetrically ?

First , The efficiency of asymmetric encryption is very low , and http There is a lot of interaction between the normal end and the end in the application scenario of , The efficiency of asymmetric encryption is unacceptable ;

in addition , stay HTTPS Only the server saves the private key in the scenario , A pair of public and private keys can only realize one-way encryption and decryption , therefore HTTPS The content transmission encryption in is symmetric encryption , Not asymmetric encryption .

Principle and process

Man in the middle attack principle

Process principle :

  1. Local request hijacked ( Such as DNS Hijack, etc ), All requests are sent to the broker's server

  2. The broker server returns the broker's own certificate

  3. Client creates random number , The random number is encrypted by the public key of the intermediary certificate and then sent to the intermediary , Then construct symmetric encryption with random number to encrypt the transmission content

  4. Middleman because of the random number of clients , The content can be decrypted by symmetric encryption algorithm

  5. The middleman sends the request to the regular website with the request content of the client

  6. Because the communication process between the middleman and the server is legal , The regular website returns encrypted data through the established security channel

  7. The middleman decrypts the content with the symmetric encryption algorithm established with the regular website

  8. The middleman encrypts the data returned by the normal content through the symmetric encryption algorithm established with the client

  9. The client decrypts the returned data through the symmetric encryption algorithm established with the middleman

Due to the lack of verification of certificates , So although the client initiated HTTPS request , But the client has no idea that his network has been blocked , The transmission content is stolen by the middleman .


How do browsers verify the validity of certificates ?

Browser initiation HTTPS When asked , The server will return to the website SSL certificate , The browser needs to verify the certificate as follows :

  1. Verify domain name 、 Whether the validity period and other information are correct . The certificate contains this information , It's easier to verify ;

  2. Determine whether the source of the certificate is legal . Each certificate can be checked according to the verification chain to find the corresponding root certificate , operating system 、 The browser will store the root certificate of the authority locally , Local root certificate can be used to issue certificates to corresponding organizations to complete source verification ; 

  3. Judge whether the certificate has been tampered with . Need and CA The server does the check ;

  4. Determine if the certificate has been revoked . adopt CRL(Certificate Revocation List Certificate cancellation list ) and OCSP(Online Certificate Status Protocol Online Certificate Status Protocol ) Realization , among OCSP It can be used in 3 Step in to reduce with CA Server interaction , Improve verification efficiency

Only when any of the above steps are satisfied can the browser consider the certificate legal .


Can only certification authorities generate certificates ?

If you need a browser that doesn't prompt for security risks , Only certificates issued by certification bodies can be used . But browsers usually just hint at security risks , There is no restriction on the access of the website , So technically anyone can generate a certificate , As long as you have a certificate, you can complete the website HTTPS transmission . For example, the early 12306 It adopts the form of manual installation of private certificate HTTPS visit .

What to do if the local random number is stolen ?

Certificate verification is implemented by asymmetric encryption , But the transmission process is symmetric encryption , The important random number in symmetric encryption algorithm is generated locally and stored locally HTTPS

How to ensure that random numbers are not stolen ?

Actually HTTPS It doesn't include security guarantees for random numbers ,HTTPS The only guarantee is the security of the transmission process , And random numbers are stored locally , Local security belongs to another security category , The countermeasures are to install anti-virus software 、 Ewido 、 Browser upgrade to fix bugs, etc .


It was used HTTPS Will you be caught ?

HTTPS The data is encrypted , In general, the package content caught by the agent of the packet capturing tool after request is the encrypted state , Unable to view directly .

however , As mentioned above , The browser will only prompt for security risks , If the user is authorized to continue to visit the website , Complete the request . therefore , As long as the client is our own terminal , When we authorize , Then we can set up a network of middlemen , And the bag grabbing tool is acting as a middleman . Usually HTTPS The way to use the package grabbing tool is to generate a certificate , The user needs to manually install the certificate into the client , Then all requests initiated by the terminal complete the interaction with the packet capturing tool through the certificate , Then the packet capturing tool forwards the request to the server , Finally, the results returned by the server are output by the console and then returned to the terminal , To complete the whole request closed loop .


since HTTPS Can't prevent catching bags , that HTTPS What's the point ? 
HTTPS It can prevent the communication link from being monitored without the user's knowledge , There is no protection for the operation of capturing the package of active credit , Because users of this scenario are already aware of the risks . To prevent being caught , Application level safety protection is required , For example, using private symmetric encryption , At the same time, do a good job of anti decompilation and reinforcement of mobile terminal , Prevent local algorithms from being **.


本文为[Programmer base]所创,转载请带上原文链接,感谢

  1. Html + CSS + JS implémentation ️ Responsive Lucky Turnover ️ [with full source Sharing]
  2. Ren Jialun, who married young, was in a mess. Now she feels that it is a blessing in disguise
  3. 达梦数据库使用disql生成html格式的巡检报告
  4. React render phase parsing II - beginwork process
  5. Tableau linéaire de la structure des données (dessin à la main)
  6. In 2022, what are the highlights and popular elements in skirts to make skirts more elegant and gentle?
  7. JQuery installation
  8. Exemple de développement Android, dernière compilation de questions d'entrevue Android
  9. Differences and relations between JDK, JRE and JVM, nginx architecture diagram
  10. 【Azure 云服务】Azure Cloud Service 为 Web Role(IIS Host)增加自定义字段 (把HTTP Request Header中的User-Agent字段增加到IIS输出日志中)
  11. 【Azure 云服务】Azure Cloud Service 为 Web Role(IIS Host)增加自定义字段 (把HTTP Request Header中的User-Agent字段增加到IIS输出日志中)
  12. Questions d'entrevue pour les ingénieurs en développement Android, Android Foundation 72 questions
  13. It's kind of Cadillac CT6 to have a Mercedes Benz S-class captain and a 10At entry-level configuration, falling to less than 300000
  14. H6 meets the strong enemy again! The car body has a Cayenne visual sense, breaking 8.8 seconds, and the top configuration is less than 130000
  15. How nginx supports HTTPS and Linux kernel video tutorial
  16. Le martyr se réjouit de sa vieillesse Audi R8 V10 performance Rwd
  17. import 方式隨意互轉,感受 babel 插件的威力
  18. Le mode d'importation peut se déplacer librement pour sentir la puissance du plug - in Babel
  19. Pas de héros en termes de ventes!Du point de vue de la force du produit, la nouvelle version ax7 Mach est plus forte que H6
  20. The vue3 + TS project introduces vant as needed
  21. 深入浅出虚拟 DOM 和 Diff 算法,及 Vue2 与 Vue3 中的区别
  22. 深入淺出虛擬 DOM 和 Diff 算法,及 Vue2 與 Vue3 中的區別
  23. Explorer les algorithmes DOM et diff virtuels et les différences entre vue2 et vue3
  24. 两万字Vue基础知识总结,小白零基础入门,跟着路线走,不迷路(建议收藏)
  25. Résumé des connaissances de base de 20 000 mots vue, Introduction à la petite base blanche zéro, suivre la route et ne pas se perdre (Collection recommandée)
  26. 兩萬字Vue基礎知識總結,小白零基礎入門,跟著路線走,不迷路(建議收藏)
  27. "Talk show conference 4" Zhou qimo a remporté le championnat. Tout le monde l'admire. Il est mature et stable et a une vue d'ensemble
  28. Test logiciel entrevue non technique questions classiques - mise à jour continue!
  29. Digital forward disassembly reverse disassembly
  30. Analyse du cache distribué redis et essence de l'entrevue en usine v6.2.6
  31. [Hadoop 3. X series] use of HDFS rest HTTP API (II) httpfs
  32. Zhang Daxian sang in the morning to bless the motherland, xYG team: singing is much better than us
  33. My three years' experience -- avoiding endless internal friction
  34. Introduction à l'algorithme "dénombrement binaire" modéré 01 - - question d'entrevue leetcode 10.09. Recherche de matrice de tri
  35. Introduction à l'algorithme simple 06 - - leetcode 34. Trouver la première et la dernière position d'un élément dans un tableau de tri
  36. CSS animation
  37. Explain the new tags in HTML5 and the pseudo classes and pseudo elements in CSS3
  38. They are all talking about "serverless first", but do you really understand serverless?
  39. [apprentissage de l'algorithme] 1486. Fonctionnement exclusif du tableau (Java / C / C + + / python / go / Rust)
  40. Front and back end data interaction (VI) -- advantages, disadvantages and comparison of Ajax, fetch and Axios
  41. Front and back end data interaction (V) -- what is Axios?
  42. Front and back end data interaction (III) -- Ajax encapsulation and call
  43. 前端 100 万行代码是怎样的体验?
  44. 湖中剑 前端周刊 #10(ESLint8、Web 端侧 AI、react-if)
  45. 湖中劍 前端周刊 #10(ESLint8、Web 端側 AI、react-if)
  46. 前端 100 萬行代碼是怎樣的體驗?
  47. Huzhong Sword Front End Weekly # 10 (eslint8, Web end ai, React if)
  48. Quelle est l'expérience du premier million de lignes de code?
  49. Pancakeswap front-end source compilation and deployment Linux
  50. Pancakeswap front-end source compilation - Windows
  51. Walls and columns are powered, and 50W transmission power is available in any corner. The University of Tokyo has built a wireless charging house
  52. Pas besoin d'embrayage pour allumer une voiture?Vieux conducteur: la voiture est très blessée par des erreurs. Ces mauvaises habitudes doivent être changées!
  53. Cadre de développement Android MVP, résumé de l'entrevue
  54. [Azure Cloud Service] Azure Cloud Service ajoute des champs personnalisés pour le rôle Web (hôte IIS) (ajoute le champ user agent dans l'en - tête de demande http au Journal de sortie IIS)
  55. Principes de la plate - forme de développement Android, questions d'entrevue de développement Android
  56. [Azure Cloud Service] Azure Cloud Service ajoute des champs personnalisés pour le rôle Web (hôte IIS) (ajoute le champ user agent dans l'en - tête de demande http au Journal de sortie IIS)
  57. Weilai es8 was listed in Norway and SAIC's driverless concept car appeared at the World Expo
  58. One of the most high-frequency algorithm problems in the front end! Reverse linked list
  59. Échange de doigts d'épée 11. Nombre minimum de tableaux rotatifs
  60. Questions et réponses à l'entrevue Big Data (réimprimé)