HTTP VS HTTPS
Tuesday, May 19, 2009
I was trying to study the basics of them. Summarized here what I have got.
> http send everything you do in plan text for any one to read.
> https is slower and requires a secure server and therefore would be much more expensive. Browsing doesn't require secure socket layer.
https encrypts everything you do so that no one can read what you type but the recipient.
The problem with encrypting data is that you cant just encrypt it and say only yahoo can read it. Both you and yahoo have to have a secret key so that yahoo can decrypt what you sent and encrypt private stuff for you to read.
This is accomplised by an encryption scheme known as public key. Yahoo puts out a public key so that every one can encrypt stuff that only yahoo can read its like a one way key: you can package stuff up and send it to yahoo so that they can read it with theire private key but some one with a public key cant see what you encrypted.
So you package up a key for yahoo to use to talk to you and you are all set.
Why all internet communication isn't done like this is because of what is known as the man in the middle attack, and its solution.
It's quite simply to pretend to be yahoo.com if you know what you doing. so I pretend to be yahoo and all traffic you think is going to yahoo comes to me. you ask me for my public key I respond back with an fake public private key pair that I made then I ask yahoo for there public key and every thing you to I do I just watch for anything interesting like Credit cards etc.
To be continued...
> http send everything you do in plan text for any one to read.
> https is slower and requires a secure server and therefore would be much more expensive. Browsing doesn't require secure socket layer.
https encrypts everything you do so that no one can read what you type but the recipient.
The problem with encrypting data is that you cant just encrypt it and say only yahoo can read it. Both you and yahoo have to have a secret key so that yahoo can decrypt what you sent and encrypt private stuff for you to read.
This is accomplised by an encryption scheme known as public key. Yahoo puts out a public key so that every one can encrypt stuff that only yahoo can read its like a one way key: you can package stuff up and send it to yahoo so that they can read it with theire private key but some one with a public key cant see what you encrypted.
So you package up a key for yahoo to use to talk to you and you are all set.
Why all internet communication isn't done like this is because of what is known as the man in the middle attack, and its solution.
It's quite simply to pretend to be yahoo.com if you know what you doing. so I pretend to be yahoo and all traffic you think is going to yahoo comes to me. you ask me for my public key I respond back with an fake public private key pair that I made then I ask yahoo for there public key and every thing you to I do I just watch for anything interesting like Credit cards etc.
To be continued...
Post a Comment