This topic provides an overview of Hypertext Transfer Protocol Secure (HTTPS) secure acceleration, including its working principles, benefits, and notes. HTTPS secure acceleration allows HTTPS-based encryption between clients and Content Delivery Network (CDN) nodes to ensure data security during transmission.
Hypertext Transfer Protocol (HTTP) transmits content in plaintext and does not encrypt data in any form. As an extension of HTTP, HTTPS is an HTTP channel designed to enhance security. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) is used as a sublayer under the regular HTTP application to authenticate users and encrypt data. HTTPS is widely used to protect sensitive user data for services such as payment transactions.
According to a report released by Electronic Frontier Foundation (EFF) in 2017, more than 50% of web traffic worldwide is transmitted over HTTPS.
After you enable HTTPS in the Alibaba Cloud CDN console, the requests from clients to Alibaba Cloud CDN nodes are encrypted over HTTPS. A CDN node retrieves the requested resources from the origin and then returns them to a client based on the origin configuration. We recommend that you enable HTTPS on the origin to implement end-to-end HTTPS encryption.
- The client sends a request over HTTPS.
- The server prepares a public key and a private key in advance.
Note You can prepare the keys on your own or request them from a professional organization. You can also request a free HTTPS certificate in the Alibaba Cloud CDN console.
- The server sends the public key to the client.
- The client authenticates the certificate.
Note A valid certificate must meet the following requirements:
- If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the random number to the server.
- If the certificate is invalid, the SSL handshake fails.
- The certificate has not expired.
- The certificate is issued by a trusted certificate authority (CA).
- The digital signature of the issuer in the certificate can be decrypted with the public key of the issuer.
- The domain name in the certificate is the same as that of the server.
- The server decrypts the random number by using the private key.
- The server uses the random number to encrypt data and transmits the data to the client.
- The client uses the random number to decrypt the received data.
- HTTPS provides protection against the following HTTP security threats:
- Eavesdropping, where third parties may intercept your data during transmission.
- Tampering, where third parties alter your data during transmission.
- Spoofing, where third parties impersonate the identity of a user.
- Hijacking, where your data is rerouted to third-party servers.
- Benefits of HTTPS transmission:
- HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
- HTTPS checks data integrity during transmission to protect your Domain Name System (DNS) or content against man-in-the-middle (MITM) attacks such as hijacking and tampering.
- HTTPS is the new norm. An increasing number of major browsers such as Google Chrome and Mozilla Firefox have labelled HTTP websites as insecure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is insecure. This compromises user experience and may reduce visits to the website.
- Google and Baidu prioritize HTTPS websites in the search results. Additionally, major browsers must support HTTPS to support HTTP/2. HTTPS is a more reliable choice in terms of security, market presence, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.
|Enterprise application||HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. The confidential information includes customer relationship management (CRM) data and enterprise resource planning (ERP) data.|
|Government website||HTTPS protects authoritative information on government websites against vulnerabilities such as phishing and hijacking. Leakage of such information may compromise the public trust.|
|Payment system||HTTPS protects sensitive data such as the customer names and phone numbers used in payment transactions against hijacking and spoofing. If sensitive data is leaked, attackers can use such data to trick customers into making duplicate payments. This causes losses to both the customer and the enterprise.|
|API operations||API operations use HTTPS to encrypt important information such as sensitive data and crucial instructions. This protects the information against hijacking.|
|Enterprise website||HTTPS makes users feel more secure. Web browsers display a green lock icon in the address bar for websites with domain validated (DV) and organization validated (OV) certificates. The enterprise name is displayed together with the green lock for websites that include extended validated (EV) certificates.|
HTTPS secure acceleration is a value-added service. After you enable HTTPS, you will be billed based on HTTPS requests. For more information about the billing standards, see Number of static HTTPS requests.
Note The billing for HTTPS requests is calculated separately and is not covered by the CDN data transfer plan. Before you enable HTTPS secure acceleration, make sure that your account balance is sufficient. CDN services may be suspended when your balance is insufficient.
|Configure HTTPS certificates||Enables HTTPS secure acceleration.|
|Enable HTTP/2||Enables the latest HTTP protocol HTTP/2. Major browsers such as Google Chrome, Internet Explorer 11, Safari, and Mozilla Firefox support HTTP/2.|
|Enable force redirect||Forcibly redirects end users' requests as HTTP or HTTPS requests.|
|Configure TLS||Ensures communication security and data integrity.|
|Configure HSTS||Forces clients such as browsers to communicate with servers over HTTPS. This reduces the risk where requests are hijacked.|