Two dog son is some unknown website webmaster, he is keen to share some daily work, life, technology and so on through the blog, determined to become the most beautiful son in the night sky.

But some time ago, there are several users feedback, the website is always inexplicable will jump to a XX website, in addition to the access speed is also a little slow. As the most beautiful man in the night sky, how could the hijacking of such a thing bother users, so all sites quickly enabled HTTPS. The website is safe, but what way can speed up the access speed, two dog son once again fell into meditation.

HSTS

One dead of night, Mitsuko began to delve into HTTPS. He looked up the HTTPS transfer process from Wikipedia, and once he was familiar with the whole process, he could better understand how to optimize HTTPS.

Two dogs think HTTPS has been enabled, but can not confirm the user is directly access to http:// or https://, according to the common user habit is directly input the site domain name, and then the browser directly supplement the protocol type. However, there is a problem that if the website is set up to force HTTPS to do a 301 or 302 jump when the user accesses the domain name, but this process uses HTTP and is therefore vulnerable to hijacking and third party attack.

What better way to avoid this? It is said that if there is a spear, there is a shield. Ergongko’s in-depth research found that HSTS can avoid this situation.

The Internet Engineering Organization (IETF) is promoting a new Web security protocol. By using HSTS, the user does not need to manually enter the https:// in the address bar when visiting a website. The browser automatically uses HTTPS to access the website address, so that the user can always access the encrypted link of the website. Protect the security of data transmission.

HSTS mainly controls the browser operation by sending the response header from the server.

  1. First add: strict-transport-security: max-age=expireTime [; includeSubDomains] [; preload] to the server response header
  2. Set the max-age parameter, the maximum recommended setting is 6 months;
  3. The next time the user uses HTTP, the client will perform an internal 307 jump;

Enable HSTS to effectively prevent attacks, while saving 301/302 jump time, greatly improve the website security factor and user experience.

HTTP/2

Open HSTS, two dog son more excited, decided not to sleep to continue to study.

Ergouzi has been in the IT industry for so long and recently heard about HTTP/2 frequently, but did not understand what HTTP/2 is “powerful” place, so started the research trip.

HTTP/2 is the first update to the HTTP protocol since the release of HTTP 1.1 in 1999, and is primarily based on the SPDY protocol. It was developed by the Hypertext Transfer Protocol BIS (HTTPBIS) working group of the Internet Engineering Task Force (IETF). The organization submitted the HTTP/2 standard proposal to the IESG for discussion in December 2014, and it was approved on February 17, 2015. The HTTP/2 standard was officially published as RFC 7540 in May 2015.

HTTP/2 has the following changes compared to HTTP 1.1:

  1. Data is transmitted in a binary format rather than the text format of HTTP 1.x, and the binary protocol is more efficient to parse.
  2. Use multiplexing to replace the original sequence and blocking mechanism. All that is requested is done concurrently over a TCP connection.
  3. Server push, the server can actively push other resources when sending the HTML of the page, instead of waiting for the browser to parse to the corresponding location, make a request and then respond. For example, a server can actively push JS and CSS files to the client without requiring the client to parse the HTML and then send these requests. The server can actively push, and the client has the right to choose whether to receive or not. If the server pushes a resource that has already been cached by the browser, the browser can reject it by sending an RST_STREAM frame. Active push also follows the same origin policy, and the server will not push third-party resources to the client.
  4. Header compression, HTTP/2 uses HPack (a compression format designed for HTTP/2 headers) to compress the delivery of headers, saving traffic on the network where the headers reside.

How fast is HTTP/2? There is a demo of HTTP 1.1 VS HTTP/2. I couldn’t sleep when I saw it.

In accordance with this optimization, two dog son website access speed will soon take off.

The TLS 1.3

It occurred to him that the SSL version has been released to TLS 1.3, which is the newest, fastest, and most secure version of the TLS protocol, and adds several new features over the old version. By simplifying the SSL handshake process, it improves connection speed, reduces latency, and improves user access performance, efficiency, security, and more by removing encryption algorithms that pose security risks.

In order to get a better understanding of how TLS 1.3 works, Ergoko has set out on a new learning journey.

As you can see from the figure above, with TLS 1.2 it takes two round trips (2-RTT) to complete the handshake before the request can be sent.

The TLS 1.3 handshake no longer supports static RSA key exchange, which means that a full handshake must be made using Diffie-Hellman with forward security. As you can see from the figure above, it only takes one round trip (1-RTT) to complete the handshake using the TLS 1.3 protocol.

Compared to TLS 1.2, the handshake time in TLS 1.3 was halved. This means that visiting a mobile site, using the TLS 1.3 protocol, may reduce the time by nearly 100ms.

“Not HTTPS to slow down the website, but website optimization is not enough”, two dog son issued a deep feeling. After a night of hard work and the launch of HSTS, HTTP/2 and TLS 1.3, Ergouzi feels like the hottest guy in the blogosphere. D But what you don’t know is that Youpaoyun provides a one-stop SSL certificate application service. HSTS, HTTP/2.0, TLS 1.3 and other functions can be turned on with one click, and you can make HTTPS faster in minutes.

Recommended reading:

When “Http” meets “S”

TLS 1.3 vs. TLS 1.2, so you can see how powerful TLS 1.3 is