HTTPS secure acceleration secures data transmission by using HTTPS to encrypt communication between clients and Dynamic Route for CDN (DCDN). This topic provides an overview about HTTPS secure acceleration, including how it works, its benefits, and the related considerations.

HTTPS

Hypertext Transfer Protocol (HTTP) transmits content in plaintext and does not encrypt data in any form. As an extension of HTTP, HTTPS is an HTTP channel designed to enhance security. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) is used as a sublayer under the regular HTTP application to authenticate users and encrypt data. HTTPS is widely used to protect sensitive user data for services such as payment transactions.

According to a report released by Electronic Frontier Foundation (EFF) in 2017, more than 50% of web traffic worldwide is transmitted over HTTPS.

How it works

After you enable HTTPS in the Alibaba Cloud DCDN console, the requests from clients to Alibaba Cloud DCDN are encrypted over HTTPS. A DCDN node retrieves the requested resources from the origin and then returns them to the client based on the origin configuration. We recommend that you enable HTTPS on the origin to implement end-to-end HTTPS encryption.

The following figure shows the HTTPS encryption process.HTTPS encryption process
  1. The client sends a request over HTTPS.
  2. The server prepares a public key and a private key in advance.
    Note You can prepare the keys on your own or request them from a professional organization. You can also request a free HTTPS certificate in the Alibaba Cloud CDN console.
  3. The server sends the public key to the client.
  4. The client authenticates the certificate.
    • If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the random number to the server.
    • If the certificate is invalid, the SSL handshake fails.
    Note A valid certificate must meet the following requirements:
    • The certificate has not expired.
    • The certificate is issued by a trusted certificate authority (CA).
    • The digital signature of the issuer in the certificate can be decrypted with the public key of the issuer.
    • The domain name in the certificate is the same as that of the server.
  5. The server decrypts the random number by using the private key.
  6. The server uses the random number to encrypt data and transmits the data to the client.
  7. The client uses the random number to decrypt the received data.

Benefits

  • HTTPS provides protection against the following HTTP security threats:
    • Eavesdropping, where third parties may intercept your data during transmission.
    • Tampering, where third parties alter your data during transmission.
    • Spoofing, where third parties impersonate the identity of a user.
    • Hijacking, where your data is rerouted to third-party servers.
  • Benefits of HTTPS transmission:
    • HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
    • HTTPS checks data integrity during transmission to protect your Domain Name System (DNS) or content against man-in-the-middle (MITM) attacks such as hijacking and tampering.
    • HTTPS is the new norm. An increasing number of major browsers such as Google Chrome and Mozilla Firefox have labelled HTTP websites as insecure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is insecure. This compromises user experience and may reduce visits to the website.
    • Google and Baidu prioritize HTTPS websites in the search results. Additionally, major browsers must support HTTPS to support HTTP/2. HTTPS is a more reliable choice in terms of security, market presence, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Scenarios

The following table describes the scenarios of HTTPS.
Scenario Description
Enterprise application HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. The confidential information includes customer relationship management (CRM) data and enterprise resource planning (ERP) data.
Government website HTTPS protects authoritative information on government websites against vulnerabilities such as phishing and hijacking. Leakage of such information may compromise the public trust.
Payment system HTTPS protects sensitive data such as the customer names and phone numbers used in payment transactions against hijacking and spoofing. If sensitive data is leaked, attackers can use such data to trick customers into making duplicate payments. This causes losses to both the customer and the enterprise.
API operations API operations use HTTPS to encrypt important information such as sensitive data and crucial instructions. This protects the information against hijacking.
Enterprise website HTTPS makes users feel more secure. Web browsers display a green lock icon in the address bar for websites with domain validated (DV) and organization validated (OV) certificates. The enterprise name is displayed together with the green lock for websites that include extended validated (EV) certificates.

Considerations

The following table describes the rules to follow when you use HTTPS secure acceleration.
Type Description
Configuration
  • You can enable HTTPS for wildcard domains.
  • You can enable or disable HTTPS secure acceleration as needed.
    • When HTTPS secure acceleration is enabled: You can modify certificates. By default, the system supports HTTP and HTTPS requests. You can also Configure forcible redirection to customize the request method.
    • When HTTPS secure acceleration is disabled: The system no longer supports HTTPS requests and no longer keeps certificate or private key information. To enable HTTPS secure acceleration again, you must re-upload the certificate or the private key. For more information, see Configure an HTTPS certificate.
  • You can view the certificate but not the private key. Keep certificate-related information confidential.
  • You can update the certificate. However, proceed with caution. The new HTTPS certificate takes effect within one minute after the update.
Billing
For more information about HTTPS billing, see the Pay by Requests part in DCDN Pricing.
Note HTTP secure acceleration is billed separately based on the number of HTTPS requests. Before you enable HTTPS secure acceleration, make sure that your account balance is sufficient. DCDN may be suspended if your balance is insufficient.
Certificates
  • After you enable HTTPS secure acceleration for an accelerated domain, you must upload a certificate and the private key in the PEM format to DCDN.
    Note The Tengine web server used by DCDN is designed based on NGINX. Therefore, the web server supports only certificate files in the NGINX-compatible PEM format. For more information, see Certificate formats.
  • The uploaded certificate file must match the private key. Otherwise, the certificate authentication fails.
  • A private key cannot have a password configured.
  • Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.

Related features

You can enable the following features as needed to enhance data security.
Feature Description
Configure an HTTPS certificate Implements HTTPS secure acceleration.
Enable HTTP/2 Enables the latest HTTP protocol, HTTP/2. HTTP/2 is supported by major browsers such as Google Chrome, Internet Explorer 11, Safari, and Mozilla Firefox.
Configure forcible redirection Forcibly redirects end users' requests to HTTP or HTTPS requests.
Configure TLS Ensures communication security and data integrity.
Configure HSTS Forces clients such as browsers to communicate with servers over HTTPS. This reduces the risk of cookie hijacking.