HTTPS Transmission Encryption Practice
HTTP and HTTPS
Concepts of HTTP and HTTPS
HTTP IS Hypertext Transfer Protocols, the most widely used network protocol on the Internet. HTTP was originally designed to provide a way to publish and receive HTML pages. Resources requested through the HTTP or HTTPS protocol are identified by Uniform Resource Identifiers (URI).
The HTTP protocol sends content in clear text, and does not provide any method of data encryption. If an attacker intercepts the transmission message between the Web browser and the website server, he can directly understand the information in it, so the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card numbers, passwords, etc.
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel that aims at security, and simply speaking, it is a secure version of HTTP. HTTPS adds the SSL protocol on the basis of HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.
Differences between HTTP and HTTPS
The differences between HTTPS and HTTP are mainly concentrated in the following 4 points:
- The HTTPS protocol requires the server to apply for a certificate from the CA first.
- HTTP is clear text transmission, and HTTPS is a secure SSL encrypted transmission protocol.
- HTTP and HTTPS use completely different connection methods and different ports. The former is 80 and the latter is 443.
- The connection of HTTP is simple and stateless. While the HTTPS protocol is a network protocol constructed by SSL + HTTP protocol that can perform encrypted transmission and identity authentication, which is more secure than HTTP.
Using HTTPS to Ensure BOS Data Security
BOS has now fully supported the transport protocols of HTTP and HTTPS. The interaction process of HTTP and HTTPS with BOS is shown in the figure below.
Using HTTP
When the Client uses the HTTP protocol for transmission, since HTTP is a clear text transmission, there may be aggressive behaviors such as interception and tampering by the middle party during the transmission process, which poses certain potential safety hazard.
Using HTTPS
HTTPS is an encrypted transmission, and BOS has applied for a certificate from the CA. The client trusts the host computer only when the certificate is used for the BOS server.
During the transmission process, the BOS will first return the certificate information to the Client, and the Client will perform legality verification. After the authentication is passed, the Client and BOS will negotiate a random symmetric encryption key. Thereafter, communication requests between Client and BOS are encrypted by a secure symmetric encryption algorithm. Therefore, even if it is intercepted by a malicious middle party during transmission, it is impossible to conduct a malicious attack because it is a ciphertext, which can effectively ensure the security of the transmitted data.
Performance Impact
Since HTTP is transmitted in clear text and HTTPS is encrypted, there are differences in three aspects: the response time QPS, throughput (network card), and resource consumption. The response time includes RTT (Round Trip Time ), encryption and decryption time, and Time-consuming read and write processing. The specific impact will depend on many factors such as the version of OpenSSL, the encryption algorithm used, and the RRT to the BOS Server.
Compared with HTTP, HTTPS needs to go through the SSL interaction process, so it will have two more RTT delay losses than the HTTP process. Such as: The Ping time is 40ms, and the delay of HTTPS will increase by 80ms compared to HTTP.
In general, when the network conditions are good and the file is large, choosing HTTPS has little impact; when the network conditions are poor and the file is small, such as image processing and other scenes, the delay of HTTPS will be enlarged.
Configuration Example
For the reliability of your data during transmission, we recommend that you use the HTTPS protocol. Currently, the API and SDK of BOS have fully supported the configuration of HTTPS.
API Method
When using API access, you can configure the corresponding port protocol to HTTPS according to the language you use.
SDK Method
When accessing by the use of SDK, for SDK configuration method of different language, please refer to: