HTTPS is used for secure communication over networks. It provides reinforced protection for content delivery that is accelerated by Alibaba Cloud CDN. SSL secures data that is transmitted between clients and servers when Alibaba Cloud CDN is used to accelerate content delivery. This topic provides answers to some commonly asked questions about HTTPS.
Am I charged additional fees after I enable HTTPS secure acceleration?
Do I need to enable HSTS for subdomains if I turn on Include Subdomains when I configure HSTS?
Why do clients access POPs over HTTP after I enable HTTPS secure acceleration?
What is HTTPS?
HTTPS is a security protocol that is used to encrypt data transmitted over HTTP. This ensures the security of data transmission. HTTP transmits data in plaintext and does not encrypt data. HTTPS is an extension of HTTP. It provides an HTTP channel that is designed to ensure data security. In HTTPS, the communication protocol is encrypted based on Transport Layer Security (TLS) or SSL. HTTPS is used to authenticate users and encrypt connections. HTTPS is widely used to protect sensitive user data for services such as payment transactions. When you configure HTTPS for a domain name in the Alibaba Cloud CDN console, you need to provide the SSL certificate of the domain name. The SSL certificate must be deployed to all points of presence (POPs). Then, data transmission over HTTPS is encrypted when content delivery is accelerated by Alibaba Cloud CDN.
What are the common types of HTTP attacks?
HTTPS is one of the methods that can be used to improve content delivery security. To ensure network security, you can integrate Alibaba Cloud CDN with Web Application Firewall (WAF) or Anti-DDoS Pro. The following list shows common HTTP attacks:
SQL injection: a code injection technique that is used to attack data-driven applications. During SQL injection, malicious SQL statements are inserted into entry fields and executed in an SQL database.
Cross-site scripting (XSS): a type of computer security vulnerability that is commonly found in web applications. XSS allows attackers to inject client-side scripts into web pages. When other users visit these web pages, the identities and permissions of the users are exploited to execute the injected scripts. XSS typically modifies or steals user information.
Cross-site request forgery (CSRF): allows attackers to forge a request after a user submits a form. Then, attackers tamper with the user data or execute a specific task. To spoof the identity of a user, CSRF is launched with XSS or based on other attack methods. For example, attackers provide a malicious link that is used to perform a CSRF attack.
HTTP header injection: HTTP is applied when you visit a website from a browser, regardless of the technology and framework based on which this website is designed. When data is transmitted over HTTP, a blank line lies between the header and the content of the response message. This blank line is equivalent to two carriage return (CR) and line feed (LF) character pairs (0x0D 0A). This blank line marks the end of the header and the start of the content. Attackers can exploit this vulnerability to inject characters into the header.
Open redirect: an attack that is commonly launched based on a phishing attack. Attackers masquerade as a trusted entity to send a user a link. After the user clicks this link, the user is redirected to a malicious website where user data may be leaked. To prevent such attacks, all redirection operations must be authenticated to ensure that users are not redirected to malicious websites. One solution to this vulnerability is to add trusted URLs to a whitelist. Redirects to domain names that are not included in the whitelist are denied. Another solution is to add redirect tokens to trusted URLs. Before users are redirected to URLs, these URLs are verified based on the tokens.
Is HTTPS required only when visitors log on to my site?
No. We recommend that you enable HTTPS secure acceleration for all web pages. HTTPS secure acceleration provides the following benefits:
In terms of website security, if HTTPS secure acceleration is enabled for only some of your web pages, resources such as JavaScript or CSS files may be loaded over HTTP or a CDN service that does not guarantee data security. In this case, user information may be leaked. To ensure data security, we recommend that you enable HTTPS secure acceleration for all web pages.
In terms of network performance, if HTTPS secure acceleration is enabled for only some of your web pages, requests may be redirected from HTTP URLs to HTTPS URLs or from HTTPS URLs to HTTP URLs. This decreases the content retrieval speed and degrades the network performance.
In terms of support for HTTPS requests, an increasing number of browsers support HTTPS requests. Search engines index more HTTPS pages than HTTP pages.
What certificates are required to configure HTTPS?
If you want to encrypt only requests from clients to POPs, configure an SSL certificate in the Alibaba Cloud CDN console.
If you want to configure end-to-end data transfer over HTTPS, you need to configure an SSL certificate in the Alibaba Cloud CDN console and on origin servers. For more information, see What is HTTPS secure acceleration?
Am I charged additional fees after I enable HTTPS secure acceleration?
Yes, you are charged additional fees for HTTPS secure acceleration. After HTTPS secure acceleration is enabled, data is transmitted over HTTPS between a client and a POP that responds to the client. Both SSL handshakes and content decryption require computations that consume additional CPU resources on POPs. However, this does not increase resource consumption on your origin server. In this case, data is transmitted over HTTP between the POP and the origin server.
If you purchase different types of SSL certificates, you are charged additional fees. You can log on to the Certificate Management Service console to apply for a free certificate. Free SSL certificates are Domain Validation (DV) certificates. You can apply for one free SSL certificate for each accelerated domain name. The validity period of a free SSL certificate is one year. When a free SSL certificate is about to expire, the system automatically renews the certificate. After you configure an SSL certificate for a domain name, the domain name is billed based on the number of HTTPS requests sent to POPs.
Am I charged for HTTPS requests when HTTP 403 or 404 status code is returned because the IP addresses of the HTTPS requests belong to the IP address whitelist or blacklist or the headers of the HTTPS requests belong to the User-Agent whitelist or blacklist?
Yes, you are charged for the HTTPS requests. If your HTTPS requests meet specific rules and HTTP 403 or 404 status code is returned, your HTTPS requests are considered processed. In this case, you are charged for traffic that is consumed by the HTTPS requests. However, because no resource content is returned, the amount of consumed traffic is small and the fees are low.
Do I need to configure HTTPS secure acceleration for POPs if HTTPS is configured on the origin server?
Yes, you need to configure HTTPS secure acceleration for POPs even if HTTPS is configured on the origin server. HTTPS applies to communication between clients and an origin server. Before Alibaba Cloud CDN is activated, clients directly retrieve content from the origin server. Therefore, HTTPS secure acceleration must be configured on the origin server to support content delivery. After Alibaba Cloud CDN is activated, clients interact with POPs. To enable communication over HTTPS between clients and POPs, an SSL certificate must be configured for your accelerated domain name and deployed to POPs. For more information about how to configure an SSL certificate, see Configure an SSL certificate.
Does the content retrieval speed drop and resource usage increase after I enable HTTPS secure acceleration?
No, the content retrieval speed remains unchanged and resource consumption does not increase after you enable HTTPS secure acceleration. If HTTPS is enabled for an origin server, more computing resources are consumed by the origin server when compared with communication with the origin server over HTTP. The additional resource consumption is caused by asymmetric encryption and decryption during HTTPS handshakes. Significant resources are consumed in cases of high concurrency. Symmetric encryption and decryption require similar resources as HTTP communication. Therefore, more sessions may be reused. The system requires more time to enable HTTPS communication with the origin server than HTTP communication with the origin server.
To fix this issue, you can use Dynamic Content Delivery Network (DCDN) to enable end-to-end HTTPS communication. DCDN reduces the average amount of time that is consumed by SSL handshakes. In cases of high concurrency, the session reuse rate on the origin server is significantly increased. This way, fewer resources are consumed to enable content delivery acceleration over HTTPS.
To accelerate the delivery of static content, POPs cache static content. The amount of time that is consumed by handshakes is increased, but the amount of time that is consumed by data transmission is decreased. In this case, the total amount of time for content delivery is decreased. Requests for static content are not redirected to the origin server because static content is cached on POPs and is directly delivered to clients. This minimizes resource usage on the origin server.
To accelerate the delivery of dynamic content, DCDN provides more flexible and optimal routing solutions when compared with content delivery over the Internet. The requests for dynamic content must be redirected to the origin server. When DCDN is used to accelerate content retrieval from the origin server, the session reuse rate is increased and the overall transmission speed is improved. Requests for dynamic content must be redirected to the origin server. Therefore, asymmetric encryption and decryption is a required step. This consumes more origin resources. DCDN can be used to enable end-to-end HTTPS communication and minimize resource usage.
How do I configure an SSL certificate?
You can configure an SSL certificate in the Alibaba Cloud CDN console. For more information, see Configure an SSL certificate.
What do I do when the system prompts me a duplicate SSL certificate message after I upload the certificate?
If the system prompts that the certificate already exists, you can change the certificate name and try again. This applies after you configure the Upload Custom Certificate (Certificate+Private Key) parameter and upload a certificate.
How do I upload multiple third-party .crt certificates?
A certificate file that is issued by an intermediate CA contains multiple certificates. When you configure HTTPS, you need to combine the intermediate certificates and server certificate into a complete certificate before you upload it.
Use a text editor to open all *.PEM certificate files. When you combine the certificates, the first certificate must be the server certificate and the intermediate certificates follow the server certificate. Do not add space characters between certificates. The CA that issues the certificates may also provide instructions. Take note of the instructions.
The following figure shows an example of a complete certificate.
How do I convert the SSL certificate format when the system prompts that the certificate format is invalid?
Alibaba Cloud CDN supports only SSL certificates in the Privacy-Enhanced Mail (PEM) format. The requirements for certificate upload vary based on the certificate authority. For more information, see Certificate formats. If your certificate is not in the PEM format, convert the certificate format before you upload it. For more information, see Convert certificate formats.
Do I need to renew the SSL certificate in Alibaba Cloud CDN after an origin server renews its SSL certificate?
No. The updated SSL certificate on the origin server does not affect the SSL certificate in Alibaba Cloud CDN. You need to update the SSL certificate in Alibaba Cloud CDN only when the SSL certificate has expired or is about to expire. For more information, see Configure an SSL certificate.
Do I need to enable HSTS for subdomains if I turn on Include Subdomains when I configure HSTS?
No, you do not need to enable HSTS for subdomains. After you turn on Include Subdomains, HSTS takes effect for all subdomains. Make sure that each subdomain supports HTTPS. Otherwise, the subdomain cannot be accessed.
Why do clients access POPs over HTTP after I enable HTTPS secure acceleration?
Clients can access POPs over HTTP or HTTPS based on client settings. If you want clients to access POPs over HTTPS, you can configure the URL redirection feature in the Alibaba Cloud CDN console. For more information, see Configure URL redirection.