HTTPS (HTTP Secure)

what is HTTPS

HTTPS = HTTP + TSL

Hypertext Transfer Protocol Secure (HTTPS) is acommunications protocol forsecure
communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simplylayering theHypertext
Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to preventwiretapping
and man-in-the-middle attacks.

TLS (Transport Layer Security)

Transport Layer Security (TLS) and its predecessor,Secure Sockets Layer (SSL), arecryptographic
protocols designed to provide communication security over the Internet.^[1] They useX.509
certificates and henceasymmetric cryptography toauthenticate
the counterparty with whom they are communicating, and to exchange asymmetric key. This session key is then used to encrypt
data flowing between the parties. This allows for data/message confidentiality, andmessage authentication codes for message
integrity and as a by-product, message authentication. 

TLS handshaking procedure

1. Client sends hello message to server

2. Server sends hello message and certificate (public key is in certificate) to client

3. Client authenticate server's certificate by checking if received certificate subject name actually matches the name of server being contacted, if the issuer of the certificate is a trustedcertificate
authority (e.g. VeriSign/Microsoft/etc. which are pre-installed in browser)

4. Using all data generated in the handshake thus far, client creates the shared session key and encrypts it with server's public key, and then sends the encrypted session key to server

5. The client sends a message to server informing it that future messages from client will be encrypted with the session key, it then sends a separate message (encrypted) indicating that the client portion of handshake is finished.

6. The server does the same to client

How can i trust you

CA - Certificate Authority

CA is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate and it is a
trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

CA Providers

• Symantec (which bought
  VeriSign's SSL interests and owns Thawte and Geotrust) with 38.1% market share
• Comodo Group with 29.1%
• Go Daddy with 13.4%
• GlobalSign with 10%

Java HTTPS support

Use HttpsURLConnection

http://www.mkyong.com/java/java-https-client-httpsurlconnection-example/



Use Apache AHC (Asynchronous Http Client)

http://camel.apache.org/ahc.html

参考：

http://en.wikipedia.org/wiki/HTTP_Secure

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://en.wikipedia.org/wiki/Certificate_authority

版权声明：本文为博主原创文章，未经博主允许不得转载。