ArcLibrary
L1入门L2进阶L3生态

HTTPS

HTTP over TLS — wraps HTTP in an encrypted channel to defeat ISP snooping and MITM tampering.

HTTPSTLSEncryption
核心 · Key Idea

In one line: HTTPS = HTTP over TLS. It pushes HTTP's plaintext traffic through a TLS-protected encrypted channel — so ISPs / public Wi-Fi can't read the body or alter responses — and uses certificates to authenticate the server.

What it is#

HTTP:   [TCP]────[HTTP plaintext]
HTTPS:  [TCP]────[TLS encrypted]────[HTTP]

After the TCP handshake, TLS performs its own handshake — exchange keys, validate the certificate, negotiate algorithms — and bidirectional traffic is then symmetrically encrypted.

Analogy#

打个比方 · Analogy

HTTP is a postcard anyone on the route can read. HTTPS is a safe: both parties exchange keys during the handshake, then every letter is locked inside before posting — passers-by see only the locked safe.

Key concepts#

CertificateCertificate
An X.509 file containing a domain, public key, and issuer — proves 'this public key belongs to this domain'.
CACertificate Authority
Cert issuer. Browsers ship a trust list (Let's Encrypt, DigiCert, etc.).
SNIServer Name Indication
Client tells the server which domain to serve during the TLS handshake — essential for one-IP-many-certs.
HSTSHTTP Strict Transport Security
Server tells browsers 'always use HTTPS for me from now on'.
Mixed contentMixed Content
An HTTPS page that loads HTTP resources — the browser blocks them.

How it works#

TLS 1.3 compresses the handshake to 1-RTT, with optional 0-RTT resumption — a big speedup.

Practical notes#

  • Let's Encrypt + ACME: free certificates, auto-renewed every 90 days. Caddy / Traefik handle this natively; nginx pairs with certbot.
  • Expired certs are the #1 outage cause. Alert 7–14 days early.
  • curl -v https://... shows TLS version, cipher, certificate.
  • openssl s_client -connect host:443 -servername host debugs cert / SNI issues.
  • Mixed content: an HTTPS page loading HTTP assets is blocked. All-HTTPS sites avoid this.
  • HSTS preload: submit your domain to the browser-builtin list to enforce HTTPS forever.

Easy confusions#

HTTPS
Encrypts only **a single HTTP connection**.
SNI / IP still leak.
VPN
Encrypts **all** traffic to a VPN server.
ISPs see only "you connected to a VPN".

Further reading#