I believe you are not unfamiliar with these experiences. When you browse the web, you will be inserted into a small window of the "Dragon Slaughter" game advertising; Obviously, the file decompression software is downloaded, and when downloaded locally, it becomes anti-virus, browser, and player software; The webpage link you clicked was an official website of an enterprise, but the one you opened was a Macau gaming website
These phenomena are actually related to network traffic hijacking, and behind them is a war without gunsmoke. In the development history of the Internet for more than 30 years, the defense war around HTTP has never stopped.
HTTP world of "streaking"
In 1982, the term Internet first appeared in the definition of human society.
In 1993, in the United States on the other side of the ocean, "Internet" began to grow like weeds without warning, and Internet companies such as Netscape and Yahoo were born successively.
At that time, the Internet was based on the underlying protocol HTTP. Everything was transmitted in clear text, and information flowed freely like a vast ocean. This grand occasion was undoubtedly breathtaking.
However, in the world of HTTP plaintext transmission, all transmitted data, including personal information, email passwords, bank accounts and other confidential data are "naked", which makes it easy for "bad guys" to steal.
Moreover, in the past 30 years, hijacking web traffic has always been a favorite of hackers from all walks of life. HTTP protocol allows traffic to be controlled by hackers at will during transmission.
In the face of unscrupulous hacker intrusion, Internet companies are obviously unwilling to wait for death.
Encrypted SSL protocol
In 1994, NetScape designed version 1.0 of the SSL protocol (Secure Sockets Layer), but it was not released. Its basic idea is to use data encryption technology to ensure that data is not intercepted or eavesdropped during the transmission between the client and the server.
However, the SSL 2.0 version released by Netscape was soon found to have serious vulnerabilities. It was not until 1996 that the SSL 3.0 version passed the verification. Since then, it has been widely used. More and more Internet companies have joined the ranks of the SSL protocol.
In 1999, the Internet standardization organization ISOC took over from NetScape and released the upgraded version of SSL TLS 1.0.
In 2006 and 2008, TLS was upgraded twice, namely TLS 1.1 and TLS 1.2. At present, mainstream browsers have implemented TLS 1.2 support.
The emergence of SSL/TLS protocol mainly solves the three major risks of HTTP:
(1) All information is encrypted and cannot be eavesdropped by a third party.
(2) It has a verification mechanism. Once it is tampered with, the communication parties will immediately find out.
(3) Equipped with identity certificate to prevent identity from being impersonated
In fact, we will find that the display of some web addresses has changed from Http://to Https://. The extra letter "S" means that the web page uses the SSL protocol, which can be encrypted for transmission and ensure the security of its information data.
In short, HTTPS=HTTP+SSL. With the blessing of SSL, HTTPS is more secure than the HTTP protocol.
So, how does HTTPS play a role in website encryption transmission?
CA organization and certificate of "notarization"
HTTPS uses the SSL protocol to convert plaintext into ciphertext through encryption and transfer it between the client and the server, which is like a delivered "cryptographic information". Encryption and decryption require the sender and receiver to exchange a common key.
Of course, there is also a very important premise that "password intelligence" must be transmitted to "the right person".
For example, if I prove to a stranger that "I am me", the other person may not believe me. But if I take out my ID card, the other party can immediately confirm that "I am me". The reason is very simple. The ID card is an authentication document issued by the national law enforcement agency, which has authority and credibility.
Similarly, in the Internet world, there is also such an authoritative "notary" role, whose full name is "Certificate Authority", or CA organization for short. The SSL authentication documents issued by it are called "SSL certificates".
The SSL certificate issued by the authoritative CA organization is similar to the passport of the Internet world. It can be deployed to the website server to achieve the identity authentication and information encryption transmission of the website.
At present, the mainstream CA organizations in the world include Symantec, GeoTrust, DigiCert, Thawte, GlobalSign, RapidSSL, etc.
In China, there are 43 CA institutions that have obtained the establishment permit of the Ministry of Industry and Information Technology and can provide digital certificates. Among them, Tianwei Integrity is the first CA certification institution approved by the Ministry of Industry and Information Technology of China, and the only CA certification institution directly authorized by DigiCert/Symantec in China, with the highest industry access standards.
Whether for enterprises or individual users, installing SSL certificates issued by authoritative CA organizations and accessing HTTPS encrypted websites are the "correct way to open websites".
Editor in charge: Liu Tingting
