This topic describes the benefits and usage notes of HTTPS secure acceleration and how it works. HTTPS secure acceleration is used to encrypt HTTPS connections between clients and Dynamic Route for CDN (DCDN) points of presence (POPs). HTTPS ensures data security during transmission.

What is HTTPS?

HTTP transmits data in plaintext and does not encrypt data. HTTPS is an extension of HTTP and is designed to ensure data security. In HTTPS, the communication protocol is encrypted by using Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). HTTPS is used to encrypt connections. HTTPS is widely used to protect sensitive user data for services such as payment transactions.

How it works

After you enable HTTPS in the DCDN console, transmissions between clients and DCDN POPs are encrypted over HTTPS. If you want to enable end-to-end HTTPS encryption, you must configure DCDN POPs to redirect requests to origin servers over HTTPS. Make sure that the origin servers support HTTPS.

The following figure shows how HTTPS works. HTTPS encryption
  1. In the Alibaba Cloud DCDN console, configure the public and private keys of the SSL certificate on DCDN POPs.
    Note You can acquire the public and private keys by applying for or uploading an SSL certificate.
  2. The DCDN POP sends the public and private keys to the client.
  3. The client parses the public key to verify the validity.
    • If the public key is valid, the client generates a random number as a private key. The client uses the public key to encrypt the random number and transmits the number (private key) to the DCDN POP.
    • If the public key is invalid, SSL handshakes fail. You must configure a valid SSL certificate.
    Note A certificate is considered valid only if the following requirements are met:
    • The certificate is not expired.
    • The certificate is issued by a trusted certificate authority (CA).
    • The public key of the certificate can decrypt the certificate signature signed by the CA.
    • The domain name on the certificate matches the accelerated domain name.
  4. The DCDN POP uses the private key to decrypt the encrypted random number.
  5. The DCDN POP uses the random number to encrypt data transmission.
  6. The client uses the random number to decrypt the received data.

Billing

HTTPS secure acceleration is a value-added service. After you enable HTTPS, you are charged based on the number of HTTPS requests. For more information, see Billing of HTTPS and HTTP requests.
Note HTTPS requests are separately billed, and the fees cannot be offset by data transfer plans of DCDN. Make sure that you have a sufficient balance in your Alibaba Cloud account. Otherwise, overdue payments may occur and cause service suspension.

Benefits

HTTPS secure acceleration provides the following benefits:
  • HTTPS secure acceleration protects communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.
  • HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This minimizes the risk of sensitive information leaks.
  • HTTPS checks data integrity during transmission to protect the data from MITM attacks, such as DNS hijacking and tampering.
  • HTTPS is the new standard. An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP web URLs as not secure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is not secure. This compromises user experience and may reduce visits to the website.
  • Mainstream search engines have a higher weight for HTTPS-capable websites. After you enable HTTPS for your website, the website can achieve a higher ranking in search engine optimization (SOE). HTTP/2 is supported by a growing number of browsers because HTTP/2 can provide a better user experience. A website must support HTTPS before it can support HTTP/2. HTTPS is a more reliable choice in terms of security, market presence, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Scenarios

The following table describes the use scenarios of HTTPS secure acceleration.
Scenario Description
Enterprise applications HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. Leaks of the confidential information, such as customer relationship management (CRM) data and enterprise resource planning (ERP) data, may cause fatal damages to enterprises.
Public service websites HTTPS protects sensitive information on public service websites against attacks such as phishing and hijacking. Leaks of such information may compromise public trust.
Payment systems HTTPS protects sensitive data such as customer names and phone numbers used in payment transactions against hijacking and spoofing. If sensitive data is leaked, attackers can use such data to trick customers into making duplicate payments. This causes losses to both the customer and the enterprise.
API operations API operations can use HTTPS to encrypt important information, such as sensitive data and important instructions. This protects the information against hijacking.
Enterprise websites HTTPS improves user trust and experience. Web browsers display a lock icon in the address bar for websites with domain validated (DV) or organization validated (OV) certificates. The enterprise name is displayed together with the lock icon for websites that include extended validated (EV) certificates.

Usage notes

The following table describes the usage notes of HTTPS.
Category Note
Scenario
  • All domain names can enable HTTPS regardless of the content type.
  • You can enable HTTPS for a wildcard domain name.
  • You can renew an SSL certificate. Proceed with caution. After an SSL certificate is renewed, it takes effect within one minute.
Usage notes on enabling and disabling HTTPS:
  • Enable HTTPS: After you enable HTTPS, you can change SSL certificates. You can also configure URL redirection to redirect user requests from HTTP to HTTPS. For more information, see Configure force redirect.
  • Disable HTTPS: After you disable HTTPS, the system no longer supports HTTPS requests and retains the SSL certificate or private key information. If you want to enable HTTPS again, you must select an SSL certificate from Certificate Management Service. For more information, see Configure an SSL certificate.
Billing
HTTPS secure acceleration is a value-added service. After you enable HTTPS, you are charged based on the number of HTTPS requests. For more information, see Billing of HTTPS and HTTP requests.
Note HTTPS requests are separately billed, and the fees cannot be offset by data transfer plans of DCDN. Before you enable HTTPS secure acceleration, make sure that you have a sufficient balance in your Alibaba Cloud account. If the balance is insufficient, DCDN may be suspended.
Certificate management
  • You must upload SSL certificates and private keys in Privacy-Enhanced Mail (PEM) format for domain names for which you want to enable HTTPS secure acceleration.
    Note The Tengine web server used by DCDN is designed based on the NGINX web server architecture. Therefore, the web server supports only certificate files in NGINX-compatible PEM format. For more information, see Certificate formats.
  • The uploaded SSL certificate must match the private key. Otherwise, requests sent from clients fail the authentication.
  • The system does not support the private keys for which passwords are configured.
  • Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.
  • You can view SSL certificates. You cannot view private keys because they are sensitive information. Keep certificate-related information confidential.

Enable HTTPS secure acceleration

Regions outside the Chinese mainland
  1. Prepare an SSL certificate in the Certificate Management Service console.

    The following types of SSL certificates are supported. Select a type based on your business requirements and configure an SSL certificate in the Certificate Management Service console.

  2. Enable HTTPS in the DCDN console.
    1. Required:After you prepare an SSL certificate, you must configure the certificate before HTTPS can be enabled. For more information, see Configure an SSL certificate.
    2. Optional:You can configure advanced features such as Force Redirect based on your business requirements.
      Feature Description
      Enable HTTP/2 HTTP/2 is a binary protocol developed based on HTTP/1.1. HTTP/2 significantly improves web performance and reduces latency by enabling multiplexing and header compression. HTTP/2 is supported by mainstream browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.
      Configure force redirect Redirects requests to HTTP or HTTPS.
      Configure HSTS Forces clients such as browsers to communicate with servers over HTTPS. This reduces the risk of cookie hijacking.
      Configure TLS version control Ensures communication security and data integrity.
      Configure OCSP stapling Caches the revocation status of SSL certificates and returns the information to clients. Clients do not need to query the revocation status of SSL certificates from certificate authorities (CAs). This reduces the verification time.