HTTP/HTTPS for Network

Time:2019-8-13

HTTP/HTTPS for Network

Lie down at night and listen to the wind and rain
Tiema Glacier Dreams

Preface

University teachers once said that there are three heavenly books in the computer field: data structure, computer composition principle and computer network. So the network is also a technology that we must understand and master when we are engaged in computer development. In this paper, I will use popular language to describe the network with the network knowledge that we understand.

Network Seven-Layer Model

  • application layer

    Ports accessing network services, such as HTTP transport'hello, world'
  • presentation layer

    Provide data format conversion
  • Conversation layer

    Establish end connections and provide access verification such as SSL/TLS authentication
  • transport layer

    UDP/TCP + ‘hello,world’
  • network layer

    IP + UDP/TCP + ‘hello,world’
  • data link layer

    MAC address + IP + UDP / TCP +'hello, world'+ tail
  • physical layer

    Transmission Binary 010101001

HTTP

  • Request/corresponding message

    ** Request message includes: **
          Request method
          URL
          Protocol Version HTTP 1.0
          Header field name
          Request Body (POST Request)
      ** Response messages include: **
          Edition
          Status code
          Phrase
          Header field name
          Response entity
  • Request method
    GET:

    Representatives access resources
       Characteristic:
           Security: Should not cause any state changes on the server side
           Idempotent: The same result as many requests
           Cacheable: Proxy servers can cache

    POST:

    Representation Processing Resources
       Characteristic:
           Unsafe
           Unequal
           Uncachable

    HEAD
    OPTION
    PUT

  • Status code
    200:

    Successful request

    300:

    request redirections

    400:

    Failure of client request address and parameter reference

    500:

    Server-side Reasons
  • Connection Establishment Process
    TCP:

    Three shakes and four waves
  • HTTP features
    No connection:

    Every request requires a TCP connection.

    Stateless

    Does not save the information and status of the recorded user
  • Solving the problem of HTTP connectionless
    Generate multiple HTTP requests on the same TCP
    Header field:

    Connection:keep-live
       Time: 20 does not need to establish TCP connection again in a certain period of time
       Max: Maximum number of requests in connection time

    Judge the end of a request?

    Content-length
       Empty chunked
  • Solving HTTP stateless problem
    Solution: Cookie / Session

Differences between HTTPS and HTTP

HTTPS=HTTP+SSL/TLS:

Adding SSL/TLS authentication between application layer and transport layer
Access to Multi-party Information: SSL/TLS Authentication at the Session Layer

HTTPS Link Establishment Process

  • Client – > Server: Send supported TLS version number, supported encryption algorithm, random number C
  • Server – > Client: Agreed encryption algorithm, random number S, server certificate (including public key)
  • Client Verification Certificate
  • Client assembles session keys
  • Client encrypts the pre-master key through the server’s public key
  • Server decrypts the required primary key by key
  • Server assembles session keys
  • Client sends encrypted handshake message (validation)
  • Server sends encrypted handshake messages (validation)

Encryption of HTTPS

  • Asymmetric encryption (time-consuming) is used to establish connections
  • Symmetric encryption is used in subsequent communication processes

Asymmetric encryption

  • Private key encryption and public key decryption
  • Public Key Encryption and Private Key Decryption
  • Public key: In the network transmission, the key is stored in the server, so asymmetric encryption is relatively safe.

Symmetric encryption

  • A secret key is transmitted in the network, which is unsafe.

TCP Control Transfer Protocol

Characteristic:

  • Connection-oriented

    Establish a connection (three handshakes) before data starts to transmit
      Release the connection after data transfer (four waves)
  • Reliable transmission

    No error, no loss, no repetition, arrival in sequence, overtime retransmit
  • Byte Stream Oriented

    It automatically transfers the byte size according to TCP itself and is not controlled by the sender.
      Maximum transmission unit = 1500 = 20 IP headers + 20 TCP headers + data
  • flow control

    Sliding Window Protocol
  • congestion control

    Slow Start, Congestion Avoidance
          Exponential Regular Growth (Number of Messages: 1, 2, 4, 8, 16) 
          Achieving threshold initial value: starting to add up
          Network congestion: Multiplication reduced to a new threshold
      Fast Recovery, Fast Retransmit

Sliding Window Protocol

When the sending window sends messages at a fast rate, because the receiving window of the server is relatively small,
In this case, the receiving window corrects or adjusts the sending rate of the sender by changing the window value to the TCP header field.

UDP User Data Protocol

Characteristic

Connectionless: No connection process required
Maximum capacity transmission: no guarantee of sequential arrival
Packet Oriented: Not Separated

function

Multiplexing and Sharing

DNS parsing

Mapping domain name to IP address, parsing request in UDP datagram and plaintext form
Using DNS Protocol to Request 53 Ports of DNS Server

DNS parsing process

- Client requests DNS server for domain name resolution through DNS protocol 
- The DNS server returns the corresponding IP to the client
- Client gets IP and sends network request to server

DNS parsing query mode

  • recursive query

    Ask and return in turn: Client - > Local DNS - > Root DNS - > Top DNS - > Permission DNS
  • Iterative Query

    Client: Local DNS, Root DNS, Top DNS, Permission DNS interrogate each other

dns hijacking

** Cause there is a third party phishing DNS server in the public network that intercepts our DNS parsing request and returns us the wrong IP**

How to Solve DNS Hijacking

httpDNS

DNS parsing: using DNS protocol to request to port 53 of DNS server
   HTTP DNS parsing: Using HTTP protocol to parse the 80 ports of DNS server, there will be no DNS parsing and no DNS hijacking.
   http://119.29.29.29/d?dn=www.xiaozhu.com&ip=172.18.134.109

Long connection

Client <-(Long Connected Channel)> Long Connected Server (Proxy Server)<-> API Server
Client's HTTP request is parsed by proxy server through intranet private line, thus avoiding the problem of public network DNS parsing hijacking.

The relationship between DNS hijacking and HTTP?

It doesn’t matter.

Because DNS parsing occurs before HTTP establishes a connection
Because DNS parses UDP datagrams used for requests, port number 53

DNS parse forwarding

Client - > China Mobile DNS - > China Telecom DNS - > China Unicom DNS, due to protocol constraints, resulting in each DNS analyzer pushing each other off, resulting in slow DNS resolution, resulting in slow network requests.

Session/Cookie

Compensation for HTTP statelessness, such as when client sends a request, the request fails to remember the user again

Cookie

Used to record user status, distinguish users, state saved in the client
How to ensure cookie security?

Encryption of cookies
Carry cookies only on HTTPS (recommended)
Set cookie to HTTPonly to prevent cross-site scripting attacks

How to modify cookies

New cookies override old cookies
Coverage rules: name, path, domian need to be consistent with the original cookie

How to delete cookies

New cookies override old cookies
Coverage rules: name, path, domian need to be consistent with the original cookie
Set expire for cookies = a certain point in the past or maxAge = 0

session
User status is recorded, user is distinguished and saved on the server side.

Workflow
    Client sends a message to server, which records user status and generates session ID
    Pass it to client by existing cookies

Recommended Today

Protocol basis: use telnet to learn IMAP protocol

IMAP introduction IMAPThe full name is Internet Mail Access Protocol, or Interactive Mail Access ProtocolPOP3Similar to one of the mail access standard protocols. The difference is, it’s onIMAPAfter that, the e-mail you received from the e-mail client remains on the server, and the operations on the client will be fed back to the server, such […]