This topic provides an overview of HTTPS acceleration, including its working principles, benefits, and considerations. HTTPS acceleration allows HTTPS-based encryption between clients and CDN nodes, ensuring data security during transmission.
What is HTTPS?
Hypertext Transfer Protocol (HTTP) transmits content in plaintext and does not encrypt data in any form. As an extension of HTTP, Hypertext Transfer Protocol Secure (HTTPS) is an HTTP channel designed to enhance security. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) is used as a sublayer under the regular HTTP application to authenticate users and encrypt data. HTTPS is widely used for services such as payment transactions that involve sensitive user data.
According to a report released by Electronic Frontier Foundation (EFF) in 2017, more than 50% of Web traffic across the globe is transmitted by using HTTPS.
After you enable HTTPS in the Alibaba Cloud CDN console, the requests from your client to Alibaba Cloud CDN nodes are encrypted by using HTTPS. The CDN node obtains the requested resources from the origin site and then returns them to your client based on the origin configuration. We recommend that you configure and enable HTTPS on the origin site to allow end-to-end HTTPS encryption.
- The client sends an HTTPS access request.
- The server generates a public key and a private key, which you can prepare on your own or apply for from a professional organization.
- The server sends the public key certificate file to the client.
- The client parses the certificate file to check the file correctness.
Note A correct certificate file meets the following requirements: The certificate has not expired. The certificate is issued by a trusted certificate authority (CA). The digital signature of the issuer in the certificate can be decrypted by using the public key of the issuer. The domain name in the certificate is the same as that of the server.
- If the certificate file is correct, the client generates a random number (key) and uses this key to encrypt and transmit data to the server.
- If the certificate file is incorrect, the SSL handshake between the client and server fails.
- The server decrypts the private key to obtain a random number (key).
- The server uses the obtained key to encrypt and transmit data to the client.
- The client uses the key to decrypt the data.
- HTTPS can defend against the following security threats, which are common in HTTP:
- Eavesdropping: Third parties can intercept the data.
- Tampering: Third parties can alter the transmitted data.
- Spoofing: Third parties can impersonate the identity of a user.
- Hijacking: includes traffic hijacking, link hijacking, and DNS hijacking.
- Benefits of HTTPS transmission:
- HTTPS encrypts sensitive information such as session IDs and cookies before transmission, preventing security threats caused by sensitive information leakage.
- HTTPS checks data integrity during transmission to protect your DNS or content against man-in-the-middle (MITM) attacks such as hijacking and tampering.
- HTTPS is the new norm. An increasing number of mainstream browsers such as Google Chrome and Mozilla Firefox automatically identified HTTP websites as insecure in 2018. If an organization insists on using HTTP, they will face security vulnerabilities. Furthermore, when users visit the organization's website by using these browsers, they will be prompted that this website is insecure, which compromises user experience and hence reduces visits to this website.
- Major network service providers such as Google and Baidu prioritize HTTPS websites in the search results. Additionally, mainstream browsers must support HTTPS to support HTTP/2. HTTPS is the more reliable choice in terms of security, market presence, and user experience. Therefore, we recommend that you upgrade your access protocol to HTTPS.
|Enterprise application||HTTPS protects confidential information such as customer relationship management (CRM) data and enterprise resource planning (ERP) data on enterprise websites from being hijacked or intercepted.|
|Government website||HTTPS protects authoritative information on government websites against vulnerabilities such as phishing and hijacking. Leakage of such information may cause the public trust in the government to decline.|
|Payment system||HTTPS protects sensitive data such as the customer names and phone numbers that are involved in payment transactions against hijacking and spoofing. If HTTPS is not used, the customer may receive information about the order they have placed and may be tricked into making a duplicate payment, which causes losses to both the customer and the enterprise.|
|API||APIs use HTTPS to encrypt important information such as sensitive data and crucial operation instructions, so that the information cannot be hijacked.|
|Enterprise website||HTTPS makes users feel more secure. Web browsers display a green lock icon in the address bar for websites with domain validated (DV) and organization validated (OV) certificates. The enterprise name is displayed together with the green lock for websites with extended validated (EV) certificates.|
HTTPS acceleration is a value-added service. After you enable HTTPS, HTTPS requests incur additional fee. For more information about the billing standards, see Static HTTPS Requests.
Note The fee is separately charged based on HTTPS requests and is not covered by the CDN data transfer plan. Before you enable HTTPS acceleration, make sure that your account has a sufficient balance. If your balance becomes empty, the CDN services are suspended.
|Configure HTTPS certificates||Allows for HTTPS acceleration.|
|Enable HTTP/2||HTTP/2 is the most advanced HTTP protocol, which is used by major browsers such as Google Chrome, Internet Explorer 11, Safari, and Mozilla Firefox.|
|Enable force redirect||Supports force redirects on original request methods of end users.|
|Configure TLS||Helps to ensure communication security and data integrity.|
|Configure HSTS||Forces clients such as browsers to establish HTTPS connections with servers, reducing hijacking risks in the first access requests.|