HTTPS secure acceleration can be used to ensure security during data transmission over HTTPS. Requests and responses are encrypted between clients and Dynamic Route for CDN (DCDN) nodes. This topic describes the benefits and usage notes of HTTPS secure acceleration and how it works.

What is HTTPS?

Hypertext Transfer Protocol (HTTP) transmits data in plaintext and does not encrypt data in any form. As an extension of HTTP, HTTPS is an HTTP channel designed to ensure data security. In HTTPS, the communication protocol is encrypted by using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). HTTPS supports authenticated and encrypted connections. Therefore, it is widely used to transmit sensitive data, such as transactions, over the Internet.

A report released by Electronic Frontier Foundation (EFF) in 2017 shows that more than 50% of web traffic worldwide is transmitted over HTTPS.

How DCDN works

After you enable HTTPS in the DCDN console, the requests from clients to DCDN nodes are encrypted over HTTPS. A DCDN node retrieves the requested resources from the origin and then returns them to the client based on the origin configuration. We recommend that you enable HTTPS on the origin to implement end-to-end HTTPS encryption.

The following figure shows the HTTPS encryption process.HTTPS encryption process
  1. The client sends a request over HTTPS.
  2. The server has the public and private keys prepared.
    Note You can bring your own public or private keys, apply for them from a professional organization, or apply for a free SSL certificate in the Alibaba Cloud CDN console.
  3. The server sends the public key to the client.
  4. The client authenticates the certificate.
    • If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the random number to the server.
    • If the certificate is invalid, the SSL handshake fails. You must upload another certificate for authentication.
    Note A certificate is considered valid if the following conditions are met:
    • The certificate is not expired.
    • The certificate is issued by a trusted certificate authority (CA).
    • The public key of the certificate can be used to decrypt the signature of the server certificate.
    • The domain name on the server certificate is the same as the actual domain name hosted on the server.
  5. The server uses the private key to decrypt the random number.
  6. The server uses the random number to encrypt data transmitted from the server.
  7. The client uses the random number to decrypt the received data.

Benefits

HTTPS secure acceleration provides the following benefits:
  • HTTPS secure acceleration prevents communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.
  • HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This minimizes the risk of sensitive information leaks.
  • HTTPS checks data integrity during transmission to protect the data from MITM attacks, such as DNS hijacking and tampering.
  • HTTPS is the new standard. An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP web URLs as insecure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is insecure. This compromises user experience and may reduce visits to the website.
  • Google and Baidu prioritize HTTPS web URLs in the search results. Additionally, mainstream browsers must support HTTPS before they can support HTTP/2. HTTPS is a more reliable choice in terms of security, market share, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Scenarios

The following table describes the scenarios of HTTPS secure acceleration.
Scenario Benefit
Enterprise applications HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. Confidential information, such as customer relationship management (CRM) data and enterprise resource planning (ERP) data, is protected during transmission.
Government websites HTTPS protects sensitive information on government websites against attacks such as phishing and hijacking. Leaks of such information may compromise public trust.
Payment systems HTTPS protects sensitive data such as customer names and phone numbers used in payment transactions against hijacking and spoofing attacks. If sensitive data is leaked, attackers can use such data for fraudulent activities. This causes losses to both the customer and the enterprise.
API operations API operations can use HTTPS to encrypt important information, such as sensitive data and important instructions. This protects the information against hijacking.
Enterprise websites HTTPS improves user trust and experience. Web browsers display a lock icon in the address bar for websites with domain validated (DV) or organization validated (OV) certificates. The enterprise name is displayed together with the lock icon for websites that include extended validated (EV) certificates.

Scenarios

The following table describes the rules to follow when you use HTTPS secure acceleration.
Type Description
Parameter
  • You can enable HTTPS for wildcard domain names.
  • You can enable or disable HTTPS secure acceleration as needed.
    • When HTTPS secure acceleration is enabled: You can modify certificates. By default, the system supports HTTP and HTTPS requests. You can also Configure the forcible redirect feature to customize the request method.
    • When HTTPS secure acceleration is disabled: The system no longer supports HTTPS requests and no longer retains certificate or private key information. To enable HTTPS secure acceleration again, you must re-upload the certificate or the private key. For more information, see Configure HTTPS certificates.
  • You can view certificates. However, private keys are restricted. You cannot view private keys because they are sensitive information. Keep certificate-related information confidential.
  • You can renew a certificate. However, proceed with caution. After a certificate is renewed, it takes effect within one minute.
Billing
For more information about the pricing of HTTPS secure acceleration, see HTTPS billing.
Note HTTPS secure acceleration is billed based on the number of HTTPS requests. Before you enable HTTPS secure acceleration, make sure that your account balance is sufficient. If your balance is insufficient DCDN may be suspended.
Certificate
  • After you enable HTTPS secure acceleration for an accelerated domain name, you must upload a certificate and a private key in the PEM format to DCDN.
    Note The Tengine web server used by DCDN is designed based on NGINX. Therefore, the web server supports only certificate files in the NGINX-compatible PEM format. For more information, see Certificate formats.
  • The uploaded certificate must match the private key. Otherwise, requests sent from clients fail to pass authentication.
  • A private key cannot carry a password.
  • Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.

Related features

You can enable the following features as needed to enhance data security.
Feature Description
Configure HTTPS certificates Implements HTTPS secure acceleration.
Enable HTTP/2 Enables the latest HTTP protocol, HTTP/2. This protocol is supported by mainstream browsers such as Google Chrome, Internet Explorer 11, Safari, and Mozilla Firefox.
Configure the forcible redirect feature Forcibly redirects requests from users as HTTP or HTTPS requests.
Configure TLS Ensures communication security and data integrity.
Configure HSTS Forces clients such as browsers to communicate with servers over HTTPS. This reduces the risk of cookie hijacking.