HTTPS是什么? What is HTTPS?

infgrad

关注

阅读 50

2022-03-19

原文链接:What is HTTPS? 

HTTPS is a secure way to send data between a web server and a web browser. 

HTTPS是一种在WEB服务器与WEB浏览器之间发送数据的安全方式。

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider.

HTTPS是HTTP的安全版本,也是现如今在服务器与浏览器之间最主要的数据发送协议。HTTPS是为了数据传输安全才进行数据加密的。这在用户传输敏感数据时至关重要,比如登录到银行账号,邮件服务器还有保险等。

Any website, especially those that require login credentials, should use HTTPS. In modern web browsers such as Chrome, websites that do not use HTTPS are marked differently than those that are. Look for a green padlock in the URL bar to signify the webpage is secure. Web browsers take HTTPS seriously; Google Chrome and other browsers flag all non-HTTPS websites as not secure.

任何网站,特别是那些需要登录验证的网站,都应该使用HTTPS方式连接。在现代的WEB服务器,如Chrome,使用了HTTPS的网站和不使用HTTP的网站被不同的方式进行标记,示例图如下。可以在地址栏上找到一个绿色的锁来标记一个网页是安全的。WEB浏览器把HTTPS看的很重要,Chrome和一些其它浏览器把非HTTPS的网站视为不安全。

HTTPS如何工作? How does HTTPS work?

HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure. This type of security system uses two different keys to encrypt communications between two parties:

HTTPS使用一种加密协议来加密通话,这个协议叫做TLS,即传输层安全组件,更正式的被人们以SSL所知,即安全的通信层。这种协议通过一种非对称的密钥术语来进行加密通信,它使用了两种不同的密钥文件在通信的两端分别进行加密解密。 

  1. The private key - this key is controlled by the owner of a website and it’s kept, as the reader may have speculated, private. This key lives on a web server and is used to decrypt information encrypted by the public key.
  2. The public key - this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key.
  3. 私钥:被网站的所有者保存并使用,就像它的名字那样暗示着,它的私有的,非公开的。它一般只会存在于WEB服务器中,是用来对使用了公钥加密的信息进行解密操作的。
  4. 公钥:这是一种开放公开的密钥,想与服务器进行安全交互,需要使用它。使用公钥进行加密的信息,只能使用对应的私钥才能解密。

Why is HTTPS important? What happens if a website doesn’t have HTTPS? HTTPS为何如此重要?若网站没有HTTPS会怎样? 

HTTPS prevents websites from having their information broadcast in a way that’s easily viewed by anyone snooping on the network. When information is sent over regular HTTP, the information is broken into packets of data that can be easily “sniffed” using free software. This makes communication over the an unsecure medium, such as public Wi-Fi, highly vulnerable to interception. In fact, all communications that occur over HTTP occur in plain text, making them highly accessible to anyone with the correct tools, and vulnerable to on-path attacks.

使用了HTTPS对外提供服务的网站,可以防止网站中的信息被那些心怀不轨的人随意窥探,防止信息被恶意在网上传播出去。若信息通过常规的HTTP来传输,那么就很容易被一些软件嗅探到,轻易的打开信息包,读取其中的内容,于是就使那些使用了非安全媒介(如公共场所的WIFI)的交互操作很容易的拦截。事实上,HTTP协议是明文传输,这就使被传输的信息很容易被人抓取读取,只要找到合适的软件就可以做到,而且,这也特别容易受到攻击。

With HTTPS, traffic is encrypted such that even if the packets are sniffed or otherwise intercepted, they will come across as nonsensical characters. Let’s look at an example:

而使用HTTPS的话,传输的内容就会加密,即使这些数据被嗅探或拦截到,也只能看到那些不可被识读的无意义的符号,举例来说,

Before encryption: 以下是加密前的数据

This is a string of text that is completely readable

After encryption: 加密之后的数据就变为如下这种

ITM0IRyiEhVpa6VnKyExMiEgNveroyWBPlgGyfkflYjDaaFf/Kn3bo3OfghBPDWo6AfSHlNtL8N7ITEwIXc1gU5X73xMsJormzzXlwOyrCs+9XCPk63Y+z0=

In websites without HTTPS, it is possible for Internet service providers (ISPs) or other intermediaries to inject content into webpages without the approval of the website owner. This commonly takes the form of advertising, where an ISP looking to increase revenue injects paid advertising into the webpages of their customers. Unsurprisingly, when this occurs, the profits for the advertisements and the quality control of those advertisements are in no way shared with the website owner. HTTPS eliminates the ability of unmoderated third parties to inject advertising into web content.

对于没有使用HTTPS的网站,在传输过程中,很有可能会被网络服务提供商或其它的中间设备,在未经网站所有者允许的情况下,在其内容中加入一些特定的内容。最常见的就是广告,那些为了增加收益的网络服务商,会在网络传输包中加入那些付费的广告。不足为奇的是,这些广告收益肯定不会被分给网站所有者。HTTPS可以把网络提供商的这种插入广告的能力给清除、停摆。

How is HTTPS different from HTTP? HTTPS与HTTP的区别?

Technically speaking, HTTPS is not a separate protocol from HTTP. It is simply using TLS/SSL encryption over the HTTP protocol. HTTPS occurs based upon the transmission of TLS/SSL certificates, which verify that a particular provider is who they say they are.

技术上来说,HTTPS并非分离于HTTP,而是基于 HTTP 使用 TLS/SSL 对传输的数据进行了加密。HTTPS基于传输中使用的 TLS/SSL 证书,与证书提供者验证通信双方的身份,看看它们是不是它们自己所说的身份。

When a user connects to a webpage, the webpage will send over its SSL certificate which contains the public key necessary to start the secure session. The two computers, the client and the server, then go through a process called an SSL/TLS handshake, which is a series of back-and-forth communications used to establish a secure connection. To take a deeper dive into encryption and the SSL/TLS handshake, read about what happens in a TLS handshake.

用户浏览器访问网站的时候,网站会发送它包含公钥的证书给用户浏览器,之后准备启动安全会话。这两台电脑,即客户端与服务端,通过一个名为SSL/TLS握手的动作来建立加密安全连接,这个握手动作,期初就是一系列来来回回的信息传输通信。如果想对这个握手动作了解更深,可以链接。

How does a website start using HTTPS? 网站如何使用HTTPS?

Many website hosting providers and other services will offer TLS/SSL certificates for a fee. These certificates will be often be shared amongst many customers. More expensive certificates are available which can be individually registered to particular web properties.

大多数的网络主机提供商或其它的服务机构,能提供一种价格低廉的TLS/SSL证书,是一种共享型的证书,需要设置自己的账号密码(应该是二级域名三级域名的证书,是在一级域名下的,所以be shared)。也有更加昂贵的证书,是那种独有的、安全性更好的证书。

the technical term for this is a multi-domain SSL certificate

价格低廉的证书,专业术语是 一种多级域名的SSL证书(一级域名证书超级贵的,二级三级域名的证书相对便宜的多的多)

精彩评论(0)

0 0 举报