This topic provides an overview of Hypertext Transfer Protocol Secure (HTTPS) secure acceleration, including its working principles, benefits, and notes. HTTPS secure acceleration allows HTTPS-based encryption between clients and Content Delivery Network (CDN) nodes to ensure data security during transmission.

HTTPS

Hypertext Transfer Protocol (HTTP) transmits content in plaintext and does not encrypt data in any form. As an extension of HTTP, HTTPS is an HTTP channel designed to enhance security. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) is used as a sublayer under the regular HTTP application to authenticate users and encrypt data. HTTPS is widely used to protect sensitive user data for services such as payment transactions.

According to a report released by Electronic Frontier Foundation (EFF) in 2017, more than 50% of web traffic worldwide is transmitted over HTTPS.

Working principles

After you enable HTTPS in the Alibaba Cloud CDN console, the requests from clients to Alibaba Cloud CDN nodes are encrypted over HTTPS. A CDN node retrieves the requested resources from the origin and then returns them to a client based on the origin configuration. We recommend that you enable HTTPS on the origin to implement end-to-end HTTPS encryption.

The following figure shows the HTTPS encryption process.Flowchart
  1. The client sends a request over HTTPS.
  2. The server prepares a public key and a private key in advance.
    Note You can prepare the keys on your own or request them from a professional organization. You can also request a free HTTPS certificate in the Alibaba Cloud CDN console.
  3. The server sends the public key to the client.
  4. The client authenticates the certificate.
    • If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the random number to the server.
    • If the certificate is invalid, the SSL handshake fails.
    Note A valid certificate must meet the following requirements:
    • The certificate has not expired.
    • The certificate is issued by a trusted certificate authority (CA).
    • The digital signature of the issuer in the certificate can be decrypted with the public key of the issuer.
    • The domain name in the certificate is the same as that of the server.
  5. The server decrypts the random number by using the private key.
  6. The server uses the random number to encrypt data and transmits the data to the client.
  7. The client uses the random number to decrypt the received data.

Benefits

  • HTTPS provides protection against the following HTTP security threats:
    • Eavesdropping, where third parties may intercept your data during transmission.
    • Tampering, where third parties alter your data during transmission.
    • Spoofing, where third parties impersonate the identity of a user.
    • Hijacking, where your data is rerouted to third-party servers.
  • Benefits of HTTPS transmission:
    • HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
    • HTTPS checks data integrity during transmission to protect your Domain Name System (DNS) or content against man-in-the-middle (MITM) attacks such as hijacking and tampering.
    • HTTPS is the new norm. An increasing number of major browsers such as Google Chrome and Mozilla Firefox have labelled HTTP websites as insecure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is insecure. This compromises user experience and may reduce visits to the website.
    • Google and Baidu prioritize HTTPS websites in the search results. Additionally, major browsers must support HTTPS to support HTTP/2. HTTPS is a more reliable choice in terms of security, market presence, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Scenarios

The following table describes the scenarios of HTTPS.
Scenario Description
Enterprise application HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. The confidential information includes customer relationship management (CRM) data and enterprise resource planning (ERP) data.
Government website HTTPS protects authoritative information on government websites against vulnerabilities such as phishing and hijacking. Leakage of such information may compromise the public trust.
Payment system HTTPS protects sensitive data such as the customer names and phone numbers used in payment transactions against hijacking and spoofing. If sensitive data is leaked, attackers can use such data to trick customers into making duplicate payments. This causes losses to both the customer and the enterprise.
API operations API operations use HTTPS to encrypt important information such as sensitive data and crucial instructions. This protects the information against hijacking.
Enterprise website HTTPS makes users feel more secure. Web browsers display a green lock icon in the address bar for websites with domain validated (DV) and organization validated (OV) certificates. The enterprise name is displayed together with the green lock for websites that include extended validated (EV) certificates.

Notes

The following table describes the rules of using HTTPS secure acceleration.
Type Note
Configurations
  • The following business scenarios support HTTPS secure acceleration:
    • Images and small files

      Web portals, e-commerce websites, news websites and applications, government or enterprise official websites, and entertainment or gaming websites and applications.

    • Large file download

      Video or audio applications and websites that provide content for users to download.

    • VOD

      Websites and applications that provide audio and video content such as movies, online education, news, and social networking.

  • You can enable HTTPS for wildcard domains.
  • You can enable or disable HTTPS secure acceleration as needed.
    • When HTTPS secure acceleration is enabled: You can modify certificates. The system supports HTTP and HTTPS requests by default. In addition, you can Enable force redirect to customize request methods.
    • When HTTPS secure acceleration is disabled: The system no longer supports HTTPS requests and no longer keeps certificate or private key information. To enable certificates again, you must re-upload the certificates or private keys. For more information, see Configure HTTPS certificates.
  • You can view certificates but not private keys. Keep certificate-related information confidential.
  • You can update certificates. However, proceed with caution. HTTPS certificates take effect within one minute after they are updated.
Billing
HTTPS secure acceleration is a value-added service. After you enable HTTPS, you will be billed based on HTTPS requests. For more information about the billing standards, see Number of static HTTPS requests.
Note The billing for HTTPS requests is calculated separately and is not covered by the CDN data transfer plan. Before you enable HTTPS secure acceleration, make sure that your account balance is sufficient. CDN services may be suspended when your balance is insufficient.
Certificates
  • You must upload certificate and private key files in the PEM format for domains for which HTTPS secure acceleration is enabled.
    Note The Tengine web server used by CDN is designed based on the NGINX web server architecture. Therefore, the web server supports only certificate files in the NGINX-compatible PEM format. For more information, see Overview of certificate formats.
  • The uploaded certificate file must match the private key. Otherwise, the certificate authentication fails.
  • A private key cannot have a password configured.
  • Only SSL and TLS handshakes that include Server Name Indication (SNIs) are supported.

Related features

You can enable the following features as needed to enhance data security.
Feature Description
Configure HTTPS certificates Enables HTTPS secure acceleration.
Enable HTTP/2 Enables the latest HTTP protocol HTTP/2. Major browsers such as Google Chrome, Internet Explorer 11, Safari, and Mozilla Firefox support HTTP/2.
Enable force redirect Forcibly redirects end users' requests as HTTP or HTTPS requests.
Configure TLS Ensures communication security and data integrity.
Configure HSTS Forces clients such as browsers to communicate with servers over HTTPS. This reduces the risk where requests are hijacked.