编程中的http和https有什么区别 [英] What is the difference between http and https in programming

问题描述

我只知道"s"代表安全"，用户切勿在仅使用http的网站上输入关键信息.但是我真的很想知道这两个协议对我的编程有什么影响，例如:

I just knew that the "s" stands for "Secure", and a user should never enter critical information on a website that use http only. But I really want to know what do these two protocols affect my programming, e.g:

• 某些网站如何获得"https"，而有些却没有(或者我不知道如何打开和关闭此功能).这是否意味着我必须在某个地方进行注册?

• How do some website got the "https" and some do not (or maybe how they turn on and off this feature, that I don't know). Does it mean I must register it somewhere?

我心想，http中的通讯未加密，虽然可能在https中进行了某些加密，这是正确的吗?

I thought to myself that communication in http is not encrypted, while some encryption may take place in https, is this correct?

并且由于加密(如果有)过程是由浏览器完成的，因此，我的服务器端代码与"http"或"https"无关，这是正确的吗?

And because the encryption (if any) process is done by the browser, as a result, my server-side code has nothing to do with "http" or "https", is it correct?

是否有一种方法可以强制用户仅使用https?

Is there a way to force user to use https only?

推荐答案

• 使用HTTPS协议的网站使用由受信任的第三方(或证书颁发机构")颁发的证书，该证书包含公用密钥(请参阅:

  • Websites using the HTTPS protocol use a certificate, issued by a trusted third party (or a "certificate authority"), which contains a public key (see: Public Key Infrastructure). The public key is paired with a private key, and information encrypted with the private key can only be decrypted with the public key. This is used to confirm that the server is the holder of the private key (and is therefore the entity certified by the certificate authority). To use the HTTPS protocol, you must either generate or buy a certificate. It is more common to buy certificates rather than generate them, for various reasons.

    HTTPS通信已加密.与证书关联的密钥不进行加密，而是浏览器和服务器使用Diffie-Hellman Exchange之类的方案来生成用于加密通信的密钥.这很重要，因为拥有公钥的任何人都可以解密使用私钥加密的事物.

    HTTPS communication is encrypted. The keys associated with the certificate don't do the encrypting, instead the browser and server use a scheme such as Diffie-Hellman Exchange to make a key that is used in encrypting communications. This is important, because anyone with the public key can decrypt things encrypted with the private key.

    从浏览器发送的信息由浏览器加密，并由服务器解密.您的Web服务器软件将解密信息；收到的信息将与标准HTTP流量没有区别.

    Information sent from the browser is encrypted by the browser and decrypted by the server. Your web server software will decrypt the information; the information received will appear no different from standard HTTP traffic.

    是的，您可以强制使用HTTPS.您可以通过服务器软件(例如Apache中的RewriteRule，其中RewriteCond检查HTTPS)或通过HSTS(包括发送特定的标头)来执行此操作.如果您在支持HSTS的浏览器中发送HSTS标头，则浏览器将自动从HTTP重定向到HTTPS(请参阅: HTTP严格的运输安全性).

    Yes, you can force HTTPS. You can do this either through your server software (e.g. RewriteRule in Apache, with a RewriteCond checking for HTTPS), or through HSTS, which involves sending a specific header. If you send an HSTS header in a browser supporting HSTS, the browser will automatically redirect from HTTP to HTTPS (see: HTTP Strict Transport Security).

    这篇关于编程中的http和https有什么区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！