https有什么用?
我是 HTTPS 技术的初学者:(。我对 HTTPS 的实现有一些疑问。
假设我有一个注册表单,
http://www.sitename.com/register.php
如果我想在 HTTPS 中使用它,这将变成这
https://www.sitename.com/register.php
是什么意思?如何从头开始实现 HTTPS? 我如何获得证书?
提前致谢!!
I am a beginner in HTTPS technology :(. I have some doubt regarding the HTTPS implementation.
suppose I have a registration form
http://www.sitename.com/register.php
if I want to use this in HTTPS this will become
https://www.sitename.com/register.php
What does this means? How to implement a HTTPS from scratch?
how do i get certificate??
Thanks in advance!!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
HTTPS 代表 HTTP 安全。它是通过安全连接上的 HTTP 服务来实现的。
请参阅 Wikipedia 上的 HTTP Secure 以获取更深入的解释。
设置 HTTPS 不仅仅是更改 URL 的问题。为此,您必须向您的网站添加 SSL 证书。这些证书可以从证书颁发机构获取(CA 列表) 或者您可以使用自签名证书。
谈谈您对 HTTPS 实施的疑虑。这是一个完善的协议,已由拥有该主题博士学位的安全专家进行了测试。因此您可以信任 HTTPS 的实现。
Flat Mountain 有一篇关于在 Apache 上设置 SSL 证书的好文章SSL 证书*
*< sub>假设你通过 apache 服务器运行 php
HTTPS stands for HTTP Secure. It is implemented via serving HTTP over a secure connection.
Take a look at HTTP Secure on Wikipedia for a much more in depth explanation.
Setting up HTTPS isn't a matter of merely changing the URL. You'll have to add a SSL certificate to your website to do that. These certificates can be obtained from Certificate Authorities (List of CAs) or you can use a self signed certificate.
Speaking to your doubts of the HTTPS implementation. It is a well established protocol which has gone through its paces by security experts with Ph.D's on the subject. So you can trust the implementation of HTTPS.
Flat Mountain has a good article for Setting up SSL Certificates on Apache*
*assuming you're running your php through apache server
其他人为您提供了有关 HTTPS 工作原理的良好资源链接。我将阐述使用它的两个原因:
1.安全性
使用 HTTPS 时,浏览器和网络服务器之间的流量是加密的。这可以防止任何碰巧有权访问您的数据在穿过互联网时所经过的多条线路的人查看您正在向服务器发送的内容,或者服务器正在向您发送的内容。这就是为什么使用 HTTPS 发送密码和其他登录凭据的原因。这就是处理银行业务和其他需要隐私的事务的网站使用 HTTPS 的原因之一。这就是为什么如果您从公共 Wi-Fi 连接读取网络邮件,您可能希望使用 HTTPS。
2.身份
通过 HTTPS 连接时,Web 服务器会向您提供证书。除了包含上述加密所需的公钥之外,证书还尝试证明 Web 服务器的身份。这可以防止任何碰巧有权访问您的数据在穿过互联网时所经过的多条线路的人将您的流量转移到他们的服务器,并冒充您想要联系的网站。如果您与黑客建立了加密连接,那么世界上所有的加密都无济于事。
为此,证书由证书颁发机构“签名”。证书颁发机构旨在验证他们颁发证书的人是否是他们声称的人。也就是说,CA 不会向美国银行以外的任何人颁发“bankofamerica.com”证书。您的浏览器预装了一组其信任的证书颁发机构的签名。如果服务器提供给您的证书不是由这些受信任的 CA 之一签署的,浏览器将警告您。
请注意,身份步骤的失败不会妨碍安全步骤。如果 HTTPS 服务器向您提供的证书不是由您的浏览器信任的 CA 签名的,您仍然可以与服务器建立加密的安全连接 - 您只是无法确定谁在实际运行您的服务器正在说话。
Others have given you good links to resources on exactly how HTTPS works. I'll address the two reasons why it is used:
1. Security
When using HTTPS, the traffic between your browser and the web server is encrypted. This prevents anyone who happens to have access to any of the many wires that your data will traverse as it crosses the Internet from looking at what you are sending the server, or what the server is sending you. This is why HTTPS is used for sending passwords and other login credentials. This is one reason why websites dealing with banking and other matters that require privacy use HTTPS. This is why you probably want to use HTTPS if you are reading your webmail from a public wi-fi connection.
2. Identity
When connecting via HTTPS, the web server provides to you a certificate. In addition to containing the public key needed to facilitate the encryption mentioned above, the certificate also attempts to prove the identity of the web server. This prevents anyone who happens to have access to any of the many wires that your data will traverse as it crosses the Internet from diverting your traffic to their server instead, and pretending to be the website you wanted to contact. All the encryption in the world doesn't help if you established that encrypted connection with a hacker.
To do this, certificates are "signed" by a Certificate Authority. Certificate Authorities aim to verify that the person they issue a certificate to is who they claim to be. That is, a CA will not issue a "bankofamerica.com" certificate to anyone other than Bank of America. Your browser comes with a pre-installed set of Certificate Authorities whose signatures it trusts. If the certificate the server gives you is not signed by one of these trusted CAs, the browser will warn you.
Note that failure of the identity step does not impede the security step. If an HTTPS server gives you a certificate that is not signed by a CA that your browser trusts, you can still establish an encrypted, secure connection with the server - you just can't be sure of who is actually running the server that you're talking to.
通过 https 协议提供服务意味着您正在提供加密数据,理论上不能嗅探,因为它不以明文形式传输。连接通常通过端口 443 而不是 HTTP 流量的典型端口 80。
SSL 还提供了一个证书,可通过第三方(例如 VeriSign 或其他的。
对于专业网站,您可以购买证书< /a> 安装在您的服务器上,或者在其他情况下,最好使用 自签名证书,尽管这些通常会在常见浏览器中显示令人讨厌的错误(如果您只有受信任/信任的用户,这可能不是问题)。
Serving over the https protocol means you are serving encrypted data, that in theory cannot be sniffed because it is not transmitted in plain text. The connection is usually over port 443 and not the typical port 80 for HTTP traffic.
Also SSL provides for a certificate that authenticates you the content server with a third party, such as VeriSign or others.
For a professional site you can buy a certificate to install on your server, or in other cases it may be better to use a self signed certificate, although those will typically display a nasty error in common browsers (which may not be an issue if you only have trusted/trusting users).
HTTPS 涉及许多层,它们都是为了确保您通过网络进行的 HTTP 通信是加密且安全的。它用来确保安全性的机制之一是向客户端证明服务器实际上就是他所说的那个人,而不是冒充服务器的人。这是通过使用大多数客户端信任的证书颁发机构颁发的服务器证书来实现的。
因此,您的表单需要做一些事情才能安全地通过 HTTPS 工作:
"www.sitename.com")对于您的
register.php页面,来自 HTTPS 或 HTTP 的客户端之间不会有任何区别,您的处理将是相同的。但是,如果您想强制用户使用 HTTPS,那么您需要首先检查请求是否是纯 HTTP,以及是否使用 HTTPS 协议将用户重定向到同一页面。这样一来,任何人都不会无意中使用不安全的地址。HTTPS involves many layers and they are all there to ensure that your HTTP communication over the wire is encrypted and secure. One of the mechanisms it uses to ensure that security, is to prove to the client that the server is actually who he says he is and not someone who pretending to be the server. This is achieved using server certificates that are issued by certificate authorities that most clients trust.
Thus, you would need a few things for your form to work over HTTPS securely:
"www.sitename.com")For your,
register.phppage there won't be a difference between clients that come from HTTPS or HTTP, your handling will be the same. However, if you want to force users to use HTTPS then you need to first check to see if the request is plain HTTP and if it is redirect the user to the same page with the HTTPS protocol. That way no one can inadvertently use the insecure address.哇。嗯。您需要查看 ssl 和安全 http。并且可能在 apache 上设置 ssl。
基本上,它是一个加密的http 连接。问问自己为什么需要加密连接,这真的值得这么麻烦吗?
whew. um. You need to look at ssl and secure http. And possibly setting up ssl on apache.
Basically, it is an encrypted http connection. Ask yourself why you need an encrypted connection and is it really worth all the trouble.
如果您的站点在 apache 上运行,您需要设置 ssl,然后确保您的虚拟主机也设置为侦听 443。然后可以使用任一协议调用虚拟主机中的任何页面。
http://httpd.apache.org/docs/2.0/ssl/ssl_howto。 html
http://en.wikipedia.org/wiki/HTTP_Secure
If your site is run on apache, you'll need to setup ssl and then make sure you're vhost is setup to listen on 443 as well. Then any page in the vhost can be called with either protocol.
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
http://en.wikipedia.org/wiki/HTTP_Secure