While using HTTPS protocol, who encrypts the messa

2019-08-01 13:16发布

问题:

I am reading about WCF Transport Security and I get a plethora of doubts in my mind because I have less network knowledge.

They say, Transport security is good to use only when there is direct communication between client and server. There should be no intermediaries.

First of all I want to know, what are these intermediaries ? According to me, they are the routers sitting in between, which relay the messages to next hop, and are not complete computer systems, on which somebody can sit and intercept the messages.

I have other doubts also regarding this topic, which I will ask once I receive the answer for this one.

回答1:

No routers are not intermediaries in this scenario. Routers, switches and other network infrastructure devices operates on lower layers of ISO/OSI or TCP/IP network protocol stacks.

Intermediaries are in this case gateways, load balancers or reverse proxies. From the client point of view the gateway or reverse proxy is the host of the service but it doesn't have to be. It can be just entry point into some corporate network which will forward the message to the real host (server hosting the service) hidden inside the corporate network.

The difference between message and transport security is that transport security ends at the gateway - for client it is a destination and client opens connection to that destination. The connection is point to point and transport security cannot be maintained among multiple connections (transport security starts at one side of the connection and ends on the other side). Message security in turn is end to end it means that message contains security as part of its content and gateways just forward secured messages. Only the real destination (real host of the service) should be able to decrypt those messages.

While using HTTPS protocol, who encrypts the message, the Browser or the Network Card?

Again HTTPS is upper layer protocol - it is not responsibility of the network card to use it. Some programming API or OS infrastructure is responsible for creating HTTPS connection. Browser just calls this API.