HTTPS is used for secure communication over networks. It provides reinforced protection for content delivery that is accelerated by Alibaba Cloud CDN. SSL secures data that is transmitted between clients and servers when Alibaba Cloud CDN is used to accelerate content delivery. This topic provides answers to some frequently asked questions about HTTPS secure acceleration.

What is HTTPS?

HTTPS is a security protocol that is used to encrypt data transmitted over HTTP. This ensures the security of data transmission. HTTP transmits data in plaintext and does not encrypt data. HTTPS is an extension of HTTP. It provides an HTTP channel that is designed to ensure data security. In HTTPS, the communication protocol is encrypted based on Transport Layer Security (TLS) or SSL. HTTPS is used to authenticate users and encrypt connections. HTTPS is widely used to protect sensitive user data for services such as payment transactions. When you configure HTTPS for a domain name in the Alibaba Cloud CDN console, you must provide the SSL certificate of the domain name. The SSL certificate must be deployed to all edge nodes. Then, data transmission over HTTPS is encrypted when content delivery is accelerated by Alibaba Cloud CDN.

Will additional fees be charged after I enable HTTPS secure acceleration?

Yes, additional fees will be charged for HTTPS secure acceleration. After HTTPS secure acceleration is enabled, data is transmitted over HTTPS between a client and an edge node that responds to the client. Both SSL handshakes and content decryption require computations that consume additional CPU resources on edge nodes. However, the number of resources consumed by the origin server that provides the required content remains unchanged. In this case, data is transmitted over HTTP between the edge node and the origin server.

If you purchase different types of SSL certificate, additional fees are charged. You can also log on to the SSL Certificates Service console to apply for free certificates. Free SSL certificates are Domain Validation (DV) certificates. You can apply for one free SSL certificate for each accelerated domain name. The validity period of a free SSL certificate is one year. When a free SSL certificate is about to expire, the system automatically renews the certificate. After you configure an SSL certificate for a domain name, the domain name is billed based on the number of HTTPS requests sent to edge nodes.

How can I configure an SSL certificate?

You can configure an SSL certificate in the Alibaba Cloud CDN console. For more information, see Configure an SSL certificate.

Do I need to configure HTTPS secure acceleration for edge nodes if HTTPS is configured on the origin server?

Yes, you must configure HTTPS secure acceleration for edge nodes even if HTTPS is configured on the origin server. HTTPS applies to communication between clients and an origin server. Before Alibaba Cloud CDN is activated, clients directly retrieve content from the origin server. Therefore, HTTPS secure acceleration must be configured on the origin server to support content delivery. After Alibaba Cloud CDN is activated, clients interact with edge nodes. To enable communication over HTTPS between clients and edge nodes, an SSL certificate must be configured for your accelerated domain name and deployed to edge nodes. For more information about how to configure an SSL certificate, see Configure an SSL certificate.

Do I need to renew the SSL certificate in Alibaba Cloud CDN after an origin server renews its SSL certificate?

No, you do not need to renew the SSL certificate in Alibaba Cloud CDN after an origin server renews its SSL certificate. The updated SSL certificate on the origin server does not affect the SSL certificate in Alibaba Cloud CDN. You must update the SSL certificate in Alibaba Cloud CDN only when the SSL certificate has expired or is about to expire. For more information, see Configure an SSL certificate.

Why do clients access edge nodes over HTTP after I enable HTTPS secure acceleration?

Clients can access edge nodes over HTTP or HTTPS based on client settings. If you want clients to access edge nodes over HTTPS, you can configure the 302 redirection feature in the Alibaba Cloud CDN console. For more information, see Configure the force redirect feature.

What can I do if my application for a free SSL certificate fails?

Specific limits apply when you apply for a free SSL certificate in the Alibaba Cloud CDN console. These limits may cause your application for a free SSL certificate to fail. In this case, we recommend that you log on to the SSL Certificates Service console to apply for and deploy a free SSL certificate.

What can I do when the system prompts me a duplicate SSL certificate message after I upload the certificate?

If the system prompts that the certificate already exists, you can change the certificate name and try again. This applies after you set Certificate Source to Upload Custom Certificate (Certificate+Private Key) and upload a certificate,

How can I convert the SSL certificate format when the system prompts that the certificate format is invalid?

Alibaba Cloud CDN supports only SSL certificates in Privacy-Enhanced Mail (PEM) format. The requirements on the content of uploaded certificates vary based on the certificate authority. For more information, see Certificate formats. If your certificate is not in PEM format, convert the certificate format before it is uploaded. For more information, see Convert certificate formats.

Will the content retrieval speed drop and resource usage increase after I enable HTTPS secure acceleration?

No, the content retrieval speed will remain unchanged and the number of consumed resources will not increase after you enable HTTPS secure acceleration. If HTTPS is enabled for an origin server, more computing resources are consumed by the origin server when compared with communication with the origin server over HTTP. The additional resource consumption is caused by asymmetric encryption and decryption during HTTPS handshakes. Significant resources are consumed in cases of high concurrency. Symmetric encryption and decryption require similar resources as HTTP communication. Therefore, more sessions may be reused. The system requires more time to enable HTTPS communication with the origin server than HTTP communication with the origin server.

To fix this issue, you can use Dynamic Route for CDN (DCDN) to enable end-to-end HTTPS communication. DCDN reduces the average amount of time that is consumed by SSL handshakes. In cases of high concurrency, the session reuse rate on the origin server is significantly increased. This way, fewer resources are consumed to enable content delivery acceleration over HTTPS.
  • To accelerate the delivery of static content, edge nodes cache static content. The amount of time that is consumed by handshakes is increased, but the amount of time that is consumed by data transmission is decreased. In this case, the total amount of time for content delivery is decreased. Requests for static content are not redirected to the origin server because static content is cached on edge nodes and is directly delivered to clients. This minimizes the number of resources that the origin server consumes.
  • To accelerate the delivery of dynamic content, DCDN provides more flexible and optimal routing solutions when compared with content delivery over the Internet. The requests for dynamic content must be redirected to the origin server. When DCDN is used to accelerate content retrieval from the origin server, the session reuse rate is increased and the overall transmission speed is improved. Requests for dynamic content must be redirected to the origin server. Therefore, asymmetric encryption and decryption is a required step. This increases the number of resources that must be consumed by the origin server. DCDN can be used to enable end-to-end HTTPS communication and minimize the number of resources to be consumed.

Is HTTPS required only when visitors log on to my site?

No. We recommend that you enable HTTPS secure acceleration for all web pages. HTTPS secure acceleration provides the following benefits:
  • In terms of website security, if HTTPS secure acceleration is enabled for only some of your web pages, resources such as JavaScript or CSS files may be loaded over HTTP or a CDN service that does not guarantee data security. In this case, user information may be leaked. We recommend that you enable HTTPS secure acceleration for all web pages to ensure data security.
  • In terms of network performance, if HTTPS secure acceleration is enabled for only some of your web pages, requests may be redirected from HTTP URLs to HTTPS URLs or from HTTPS URLs to HTTP URLs. This decreases the content retrieval speed and degrades the network performance.
  • In terms of support for HTTPS requests, an increasing number of browsers support HTTPS requests. Search engines index more HTTPS pages than HTTP pages.

What are the common types of HTTP attack?

HTTPS is one of the methods that can be used to improve content delivery security. To ensure network security, you can integrate Alibaba Cloud CDN with Web Application Firewall (WAF) or Anti-DDoS Pro. The following list shows common HTTP attacks:

  • SQL injection: a code injection technique that is used to attack data-driven applications. During SQL injection, malicious SQL statements are inserted into entry fields and executed in an SQL database.
  • Cross-site scripting (XSS): a type of computer security vulnerability that is commonly found in web applications. XSS allows attackers to inject client-side scripts into web pages. When other users visit these web pages, the identities and permissions of the users are exploited to execute the injected scripts. XSS typically modifies or steals user information.
  • Cross-site request forgery (CSRF): allows attackers to forge a request after a user submits a form. Then, attackers tamper with the user data or execute a specific task. To spoof the identity of a user, CSRF is launched with XSS or based on other attack methods. For example, attackers provide a malicious link that is used to perform a CSRF attack.
  • HTTP header injection: HTTP is applied when you visit a website from a browser, regardless of the technology and framework based on which this website is designed. When data is transmitted over HTTP, a blank line lies between the header and the content of the response message. This blank line is equivalent to two carriage return (CR) and line feed (LF) character pairs (0x0D 0A). This blank line marks the end of the header and the start of the content. Attackers can exploit this vulnerability to inject characters into the header.
  • Open redirect: an attack that is commonly launched based on a phishing attack. Attackers masquerade as a trusted entity to send a user a link. After the user clicks this link, the user is redirected to a malicious website where user data may be leaked. To prevent such attacks, all redirection operations must be authenticated to ensure that users are not redirected to malicious websites. One solution to this vulnerability is to add trusted URLs to a whitelist. Any redirects to domain names that are not included in the whitelist will be denied. Another solution is to add redirect tokens to trusted URLs. Before users are redirected to URLs, these URLs will be verified based on the tokens.