HTTPS (HTTP Secure)

what is HTTPS

HTTPS = HTTP + TSL

Hypertext Transfer Protocol Secure ( HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.

TLS (Transport Layer Security)

Transport Layer Security ( TLS) and its predecessor, Secure Sockets Layer ( SSL), are cryptographic protocols designed to provide communication security over the Internet. ^[1] They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication. 

TLS handshaking procedure

1. Client sends hello message to server

2. Server sends hello message and certificate (public key is in certificate) to client

3. Client authenticate server's certificate by checking if received certificate subject name actually matches the name of server being contacted, if the issuer of the certificate is a trusted certificate authority (e.g. VeriSign/Microsoft/etc. which are pre-installed in browser)

4. Using all data generated in the handshake thus far, client creates the shared session key and encrypts it with server's public key, and then sends the encrypted session key to server

5. The client sends a message to server informing it that future messages from client will be encrypted with the session key, it then sends a separate message (encrypted) indicating that the client portion of handshake is finished.

6. The server does the same to client

How can i trust you

CA - Certificate Authority

CA is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate and it is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

CA Providers

• Symantec (which bought VeriSign's SSL interests and owns Thawte and Geotrust) with 38.1% market share
• Comodo Group with 29.1%
• Go Daddy with 13.4%
• GlobalSign with 10%

Java HTTPS support 

Use HttpsURLConnection

http://www.mkyong.com/java/java-https-client-httpsurlconnection-example/


Use Apache AHC (Asynchronous Http Client)

http://camel.apache.org/ahc.html

参考：

http://en.wikipedia.org/wiki/HTTP_Secure

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://en.wikipedia.org/wiki/Certificate_authority