HTTP为什么不安全？HTTP安全漏洞 Why is HTTP not secure? HTTP Security Gaps

HTTP requests and responses are sent in plaintext, which means that anyone can read them.

HTTP方式的请求和响应都是在明文下传输的，这就意味着任何人都可以读取它们的内容。

HTTP与HTTPS比较，不同之处有哪些？ HTTP vs. HTTPS: What are the differences?

HTTPS is HTTP with encryption. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://.

HTTPS方式是HTTP的方式上加上加密，唯一的区别就是HTTPS方式使用SSL/TLS对正常的HTTP请求和响应进行了加密。结果就是，HTTPS方式比HTTP更安全。使用HTTP方式访问的网站的URL前缀是http://，而相对的HTTPS的则是以https://开头。

What is HTTP?

HTTP stands for Hypertext Transfer Protocol, and it is a protocol – or a prescribed order and syntax for presenting information – used for transferring data over a network. Most information that is sent over the Internet, including website content and API calls, uses the HTTP protocol. There are two main kinds of HTTP messages: requests and responses.

HTTP意为超文本传输协议，它是一个用于在网络上传输数据的协议，或一个根据预定顺序的一种语法，为的是传输展示信息的。大多数在网络上的数据是以HTTP方式传输，包括网站内容和API调用。HTTP有两种消息，请求和响应。

In the OSI model， HTTP is a layer 7 protocol.

在OSI模型中，HTTP拥有7层。

什么是HTTP请求？什么是HTTP响应？ What is an HTTP request? What is an HTTP response?

HTTP requests are generated by a user's browser as the user interacts with web properties. For example, if a user clicks on a hyperlink, the browser will send a series of "HTTP GET" requests for the content that appears on that page. If someone Googles "What is HTTP?" and this article shows up in the search results, when they click on the link, their browser will create and send a series of HTTP requests in order to get the information necessary to render the page.

HTTP请求是用户在于网络资源交互时通过用户的浏览器产生的，例如，如果用户点击了一个超链接，浏览器将会发过一系列HTTP的GET请求来请求将要在页面上展示的内容。如果用户使用Google搜索了”What is HTTP?"，在结果页面有一个文章，当用户再点击这篇文章时，浏览器会创建并发送一系列的HTTP请求，为的是获取足够的信息来展示解析这个页面。

These HTTP requests all go to either an origin server or a proxy caching server, and that server will generate an HTTP response. HTTP responses are answers to HTTP requests.

这些HTTP请求要么指向资源的源服务器要么是代理缓存服务器，这些服务器会生成对应的HTTP响应。HTTP响应就是为了回复HTTP请求的。

一个典型的HTTP请求长什么样？ What does a typical HTTP request look like?

An HTTP request is just a series of lines of text that follow the HTTP protocol. A GET request might look like this:

HTTP请求就是一系列的遵守HTTP协议的文本行，一个GET请求示例如下：


GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en

This section of text, generated by the user's browser, gets sent across the Internet. The problem is, it's sent just like this, in plaintext that anyone monitoring the connection can read. (Those who are unfamiliar with the HTTP protocol may find this text hard to understand, but anyone with a baseline knowledge of the protocol's commands and syntax can read it easily.)

上面的文本是被用户的浏览器生成的，可以通过网络发送出去。这问题就是，它就是这样以明文的形式发送出去，任何监测了连接的人都可以读取内容。（不熟悉HTTP协议的人可能会认为这些上述内容不好理解，但是任何有一些有关协议命令语法知识的人，都可以轻松的读取）

This is especially an issue when users submit sensitive data via a website or a web application. This could be a password, a credit card number, or any other data entered into a form, and in HTTP all this data is sent in plaintext for anyone to read. (When a user submits a form, the browser translates this into an HTTP POST request instead of an HTTP GET request.)

当用于通过网站或相关应用提交敏感数据时，这就是一个严重的问题了。这些敏感数据可能是一个密码，一个信用卡号，或者在表单中输入的数据，在用HTTP方式访问网站时，这些数据全部以明文方式传输，任何人都可以读取到。（当用户提交一个表单，浏览器使用HTTP的POST方法，而不是GET方法。）

When an origin server receives an HTTP request, it sends an HTTP response, which is similar:

当一个服务器收到HTTP请求后，它会回复一个HTTP响应，示例如下：


HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 12:14:39 GMT
Server: Apache
Last-Modified: Mon, 28 Jan 2019 11:17:01 GMT
Accept-Ranges: bytes
Content-Length: 12
Vary: Accept-Encoding
Content-Type: text/plainHello World!

If a website uses HTTP instead of HTTPS, all requests and responses can be read by anyone who is monitoring the session. Essentially, a malicious actor can just read the text in the request or the response and know exactly what information someone is asking for, sending, or receiving.

如果一个网站使用HTTP而非HTTPS，那么所有的请求和响应，只要有人在监测连接，都能读取到这些内容。本质上来讲，任何一个有恶意的人都能从请求和响应中读到并晓得其他人在查询什么，发送什么和接收什么。

HTTPS是什么？ What is HTTPS?

The S in HTTPS stands for "secure." HTTPS uses TLS (or SSL) to encrypt HTTP requests and responses, so in the example above, instead of the text, an attacker would see a bunch of seemingly random characters.

HTTPS中的S代表的是安全，HTTPS方式使用SSL/TLS去加密HTTP中的请求和响应数据，所以，在上面的例子中，攻击者会看到一堆看似随机的字符而不是明文。

Instead of: HTTPS使用的不是下面这种


GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en

The attacker sees something like: 攻击者看到的东西是下面这样

8Fw6T8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpDVJPvZdZUZHpzbbcqmSW1+3xXGsERHg9YDmpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVRWII6+T4MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSe4iaWKCOHQ==

HTTPS请求中，TLS/SSL是如何加密HTTP请求和响应的？ In HTTPS, how does TLS/SSL encrypt HTTP requests and responses?

TLS uses a technology called public key encryption: there are two keys, a public key and a private key, and the public key is shared with client devices via the server's SSL certificate. When a client opens a connection with a server, the two devices use the public and private key to agree on new keys, called session keys, to encrypt further communications between them.

TLS使用了一种名为公钥加密术的加密方式，这种方式有两个密钥，就是公钥和私钥。而公钥则是随着服务器的SSL证书下发分享到客户端。当一个客户端连接到服务器时，他们使用公钥私钥来沟通之后交互使用的对称密钥，也称为会话密钥。

All HTTP requests and responses are then encrypted with these session keys, so that anyone who intercepts communications can only see a random string of characters, not the plaintext.

所有的HTTP请求与响应被会话密钥加密解密，所以再有人拦截，看到的也只会是一堆随机的字符，而不是之前的明文了。

HTTPS如何对访问的服务器进行身份验证？ How does HTTPS help authenticate web servers?

Authentication means verifying that a person or machine is who they claim to be. In HTTP, there is no verification of identity – it's based on a principle of trust. The architects of HTTP didn't necessarily make a decision to implicitly trust all web servers; they simply had priorities other than security at the time. But on the modern Internet, authentication is essential.

身份验证就是验证一个人或一台机器是否是它们声明的那个身份。在HTTP请求中，完全没有这种验证机制，它更相当于基于信任的原则。HTTP的设计架构中，不是必需去显示决定要不要信任所有的网站服务器，访问通顺大于安全。但是在现代的互联网中，身份验证是必需的。

Just like an ID card confirms a person's identity, a private key confirms server identity. When a client opens a channel with an origin server (e.g. when a user navigates to a website), possession of the private key that matches with the public key in a website's SSL certificate proves that the server is actually the legitimate host of the website. This prevents or helps block a number of attacks that are possible when there is no authentication, such as:

就像身份证能证明一个人的身份那样，私钥用于确定服务器的身份。当一个客户端打开访问服务器的通道时，如使用导航栏地址栏打开一个网址，一旦网站的SSL证书的公钥和服务器拥有的私钥能够匹配时，就能证明要访问的服务器就是这个网站的合法主机，身份验证即可通过。这能防止或阻拦那种在没有身份验证机制中存在的大多数攻击，发：

On-path attacks 中间人攻击
DNS hijacking DNS劫持
BGP hijacking IP段支持路由支持等
Domain spoofing 域名欺诈