This topic describes the benefits and usage notes of HTTPS secure acceleration and how it works. This topic also describes the procedure for enabling HTTPS secure acceleration. HTTPS secure acceleration encrypts HTTPS connections between clients and Content Delivery Network (CDN) nodes. It ensures data security during transmission.
Background information
HTTP transmits data in plaintext and does not encrypt data in any form. As an extension of HTTP, HTTPS is an HTTP channel that is designed to ensure data security. In HTTPS, the communication protocol is encrypted by using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). HTTPS supports authenticated and encrypted connections. Therefore, it is widely used to transmit sensitive data, such as transactions, over the Internet.
How it works
After you enable HTTPS in the Alibaba Cloud CDN console, requests that are transmitted from clients to Alibaba Cloud CDN nodes are encrypted over HTTPS. CDN nodes retrieve requested resources from origin servers and then return the resources to clients over the protocol that is used by the origin servers. We recommend that you configure and enable HTTPS for your origin server to implement end-to-end HTTPS encryption.
- The client sends an HTTPS request.
- The server generates a public key and a private key. You can prepare the keys on your own or request them from a professional organization.
- The server sends the public key to the client.
- The client authenticates the certificate.
- If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the random number to the server.
- If the certificate is invalid, the SSL handshake fails.
Note A valid certificate must meet the following requirements: The certificate has not expired. The certificate is issued by a trusted certificate authority (CA). The digital signature of the issuer in the certificate can be decrypted with the public key of the issuer. The domain name in the certificate is the same as that of the server. - The server uses the private key to decrypt the random number.
- The server uses the random number to encrypt data and transmits the data to the client.
- The client uses the random number to decrypt the received data.
Benefits
- HTTPS secure acceleration prevents communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.
- HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This minimizes the risk of sensitive information leaks.
- HTTPS checks data integrity during transmission to protect the data from MITM attacks, such as DNS hijacking and tampering.
- HTTPS is the new standard. An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP web URLs as not secure since 2018. If you choose to use HTTP, your website may be exposed to security risks. Users who visit your website by using these browsers are prompted that this website is not secure. This compromises user experience and may reduce visits to the website.
- Mainstream browsers prioritize HTTPS web URLs in the search results. Additionally, mainstream browsers must support HTTPS before they can support HTTP/2. HTTPS is a more reliable choice in terms of security, market share, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.
Scenarios
Scenario | Description |
---|---|
Enterprise applications | HTTPS protects confidential information on enterprise websites from being hijacked or intercepted. Confidential information, such as customer relationship management (CRM) data and enterprise resource planning (ERP) data, is protected during transmission. |
Government websites | HTTPS protects sensitive information on government websites against attacks such as phishing and hijacking. Leaks of such information may compromise public trust. |
Payment systems | HTTPS protects sensitive data such as customer names and phone numbers used in payment transactions against hijacking and spoofing attacks. If sensitive data is leaked, attackers can use such data for fraudulent activities. This causes losses to both the customer and the enterprise. |
API operations | API operations can use HTTPS to encrypt important information, such as sensitive data and important instructions. This protects the information against hijacking. |
Enterprise websites | HTTPS improves user trust and experience. Web browsers display a lock icon in the address bar for websites with domain validated (DV) or organization validated (OV) certificates. The enterprise name is displayed together with the lock icon for websites that include extended validated (EV) certificates. |
- Purchase a certificate from Alibaba Cloud SSL Certificates Service.To enable HTTPS secure acceleration, you must own a certificate that corresponds to the domain name for CDN. You can apply for a free certificate or purchase an advanced certificate from Alibaba Cloud SSL Certificates Service.
- Configure an HTTPS certificate.
- Click OK.