As we all know, HTTP itself is plaintext transmission, without any security processing, HTTPS website solution through the introduction of certificate services on the HTTP protocol, perfect solution to the security of the website. This paper will introduce the basic concepts, solutions, technical advantages and optimization practices of ALIyun CDN HTTPS secure accelerated transmission.
Some basic concepts about HTTPS
Demand drives the technological revolution. That’s how the Internet was born, and that’s how HTTPS was born. People have the need to share and browse information on the Internet, so the transmission technology of information is born and constantly upgraded. Later, people developed guidelines for the transmission of information over the Internet, known as the network protocol HTTP. From the first HTTP/0.9 release in 1991 to the latest HTTP/2, transmission speeds have been constantly upgraded. Let’s take a look at some of the basic concepts of HTTP.
What is HTTP?
HTTP is the most widely used network protocol on the Internet. It is a client – and server-side request and response standard (TCP). It is used to transfer hypertext from the WWW server to the local browser.
What is HTTPS?
HTTPS is the Hyper Text Transfer Protocol over Secure Socket Layer. It is a Secure HTTP channel. In short, it is the Secure version of HTTP. Its working principle is to use SSL/TLS protocol HTTP encapsulation, the main role can be divided into two kinds: one is to establish an information security channel, to ensure the security of data transmission; Another is to verify the authenticity of the site.
What is SSL?
SSL stands for Secure Sockets Layer, which is a Secure Sockets Layer. Based on THE SECURE communication protocol of TCP, it can effectively assist Internet application software to improve the data integrity and security of communication. Later, the standardized SSL name was changed to TLS (short for “Transport Layer Security”), or “Transport Layer Security Protocol” in Chinese. Many articles refer to these two together (SSL/TLS) because they can be seen as different phases of the same thing.
What is a handshake?
Before encrypted transmission, the client and server must establish a connection and exchange parameters. After verification, the client and server negotiate the key and transfer data. This process is called handshake.
What are encryption and decryption?
The process of “encryption” is the process of turning “plaintext” into “ciphertext”. Conversely, the process of “decryption” is to change “ciphertext” into “plaintext”. In both cases, a key thing — called a “key” — is needed to do the math.
Conclusion: To put it simply, HTTPS is the security enhanced version of HTTP. It is the combination of HTTP and SSL encryption protocol, so it is also called HTTP over SSL.
Why use HTTPS
The concept of HTTPS has been around for years, but it’s only in the last two years that it’s started to take off in the mainstream. So, before we introduce you to the CDN HTTPS solution, we need to understand why we choose to use HTTPS instead of HTTP.
First, HTTPS is a more secure transport protocol that prevents websites from being tampered with and hijacked, which is the most basic function. Chrome and Firefox will mark HTTP as an insecure protocol in the future.
Second, Apple ATS requires IOS 9.0 or 10.0 apps to use HTTPS for transfer.
Third, mainstream browsers already support HTTP/2 over TLS.
Fourth, Google will weight the search rankings of sites that use HTTPS to encourage its use.
Fifth, government websites in the US and UK have switched to HTTPS.
We can see that from user demand to the overall industry trend, are pushing HTTPS applications. So what is the solution of Ali Cloud CDN HTTPS?
CDN HTTPS solution
HTTPS can effectively prevent website content from being tampered with or hijacked, enhancing website security. Therefore, in Aliyun CDN content distribution network, we have introduced HTTPS security acceleration solution.
For example, in a TWO-tier CDN distribution architecture, there are three TCP connections, each of which supports HTTPS, from Client to L1 node to L2 and back to source. In the middle, the user’s own certificate is required when the Client reaches the L1 node in the first segment. When L1 goes to L2 node, our certificate is used to ensure data encryption. When returning to the source site, if the user also wants to use HTTPS, we can configure HTTPS for the whole link, which fully ensures that the website content is tamper-proof and anti-hijacking.
In the above scenario, the user needs to transfer the certificate and private key to the CDN’s certificate manager to process HTTPS requests. At the same time, we have a further plan. Users who are sensitive to their certificates and private keys want to save their private keys on their own servers to reduce the risk of leakage. For this situation, we have introduced the selfless key solution. First, the user sets up a private KeyServer. When an HTTPS handshake is generated between the CDN and the Client, the CDN extracts the SNI during processing. After the domain name configuration is obtained, the user requests the private KeyServer (KeyServer) for signature or decryption of the pre-master key. In this scheme, we actually strip part of the private key out and implement it through KeyServer. At present, ali cloud has realized its own KeyServer, users only need to install the RPM and configuration of KeyServer on their private KeyServer.
Technical advantages of CDN HTTPS
• Supports HTTP/2
HTTP/2 is an enhancement of HTTP/1.x. Ali Cloud CDN now supports HTTP/2 in the whole platform. If you use the domain name of Ali Cloud HTTPS acceleration service, you can enjoy HTTP/2 service for free. HTTP/2 is a binary protocol that supports header compression, multiplexing, and server push to improve transmission efficiency.
• Rich HTTPS configuration items
Ali Cloud CDN HTTPS can be set dynamically. For example, in practice, it is found that some users’ apps are not perfect for HTTP/2 protocol implementation. One solution is that users modify their apps to fix the problems. Another solution is for CDN to turn off THE HTTP/2 protocol of APP through configuration and use THE HTTP/1.1 protocol to give users enough choices.
• KeyServer selfless key solution
As mentioned above, for users who are highly sensitive to their certificates and private keys, they can ensure the security of certificates and private keys, support self-built KeyServer, and provide KeyServer solutions and source code.
• Safety features
HTTPS is an encrypted transmission network protocol that requires identity authentication and is constructed using the combination of HTTP and SSL. It ensures comprehensive security, prevents sensitive information from being leaked, and prevents traffic from being hijacked or tampered with during transmission, and ensures data integrity.
• Dynamic certificates
Support dynamic certificate, if a user wants to use HTTPS, after uploading the certificate and private key, the whole network can take effect in 1 minute. Provides multiple certificates, including free certificates, certificate expiration notification, and certificate attribute preview. And linkage with Ali Cloud Certificate Center CAS, you can apply for free certificates.
• Flexible payment options
Postpaid and pre-paid two forms, postpaid HTTPS 0.05 yuan / 10,000 times request, pre-paid request package also has 450 yuan, 4000 yuan, 35000 yuan various specifications, specifications for 100 million times, 1 billion times, 10 billion times (Double Eleven discount).
With so many advantages HTTPS has over HTTP transport, does HTTPS also outperform HTTP in terms of performance? As we know, Ali Cloud CDN HTTPS can reduce back source rate, improve communication efficiency, improve verification efficiency, reduce jump time, which technologies are used to achieve optimization? Let’s take a look at the optimization practice of CDN HTTPS.
CDN HTTPS optimization practice
First of all, we know that the key factor holding back HTTPS performance is slow transmission, because after a TCP handshake, SSL handshake, multi-layer data encryption and decryption, and certificate transfer are required.
So does HTTPS have to be slow?
The figure below shows some performance improvements of Taobao and Tmall after HTTPS is adopted. In fact, we can see that taobao home page and search, jucost-effective, Tmall and other pages, the performance is positive improvement. So next, let’s look at the CDN HTTPS in terms of performance optimization?
SSL also supports session ID and session ticket. The first type of session ID stores the session ID on the sever side. If the client carries the same ID in the next request, You can resume the conversation without a lot of hand-shaking. However, when a client accesses different sever, there is the problem of ID sharing, which is complicated to implement. The second session ticket can send session information to the client. The client saves the information without relying on a server.
Second, we need to use the HTTP/2 protocol. Multiplexing and header compression can improve transmission efficiency.
Third, domain name merger, for the master site and user domain name is more, we tend to merge the domain name, merge into a pan-domain name for processing. This reduces SSL handshakes and increases reuse, which in turn increases efficiency.
Fourth, protocol stack optimization, which is a function all major CDN companies are doing. The traditional protocol stack is a process of gradually testing and sending more and more data, and the initialization window is relatively small. We will now make specific adjustments and increase the efficiency of fast retransmissions.
Fifth, the priority algorithm, the prefabricated ECDSA algorithm, produces the same encryption strength, less data.
The above are some optimization practices carried out by CDN HTTPS for more efficient transmission and reduction of data volume.
In addition, in terms of peak response, in addition to its own HTTPS optimization, we also need to preheat the Cache system, and all load to the level 1 node, so that there is no source back problem. In addition, in the scheduling system, our business system needs to give the predicted peak value. Meanwhile, CDN needs to do the statistics of hotspot areas, allocate with adjacent non-hotspot areas, and distribute proportionally according to the node capacity. Of course, for peak conditions, we also need to limit the flow.
How to use HTTPS better
With all the benefits of HTTPS, how can users make better use of it?
First, the certificate application, according to the type of domain name to apply, Ali Cloud also provides certificate services, can issue Symantec, CFCA, GeoTrust certificates. There are three classifications of certificates: DV, OV and EV. DV is a domain name-based certificate. The organization only needs to verify the owner of the domain name. The security level is low. OV and EV are enterprise-level certificates that verify enterprise information in addition to the domain name owner. EV’s certificate that displays the company name when accessed.
Second, source site transformation, including page resource transformation, TLS version 1.0 or above, optimized configuration of session ID and session ticket, SHA256 support on certificates, etc. In addition, in practice, there is a problem that when the user enters the domain name, we can force HTTPS access through configuration.