Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to deeply analyze the HTTPS protocol. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

I. the dilemma of WeChat Mini Programs's access.

With the Lunar New year approaching and WeChat Mini Programs released as scheduled, developers will encounter the following problems in the process of accessing WeChat Mini Programs:

Mini Program requires that the communication with the server must be completed through HTTPS. If the developer chooses to build the HTTPS service by himself, he / she needs to apply for and deploy the SSL certificate, and complete the construction of the https service. The process is inefficient and lengthy; and the SSL plus parsing of HTTPS will incur great overhead on the CPU of the server.

Not only Mini Program, but also Apple's iOS platform and Google Android gradually forced developers to use HTTPS access in 2017. HTTPS seems to be an insurmountable threshold, giving many developers a headache.

To solve the above problems, Tencent Cloud's load balance Service (cloud load balance) hopes to optimize the performance of HTTPS and provide one-click SSL certificate application service to reduce the application threshold and cost of HTTPS, so that developers can quickly access services such as WeChat Mini Programs. First, let's take a look at the comparison between HTTP and HTTPS to solve your mysteries one by one.

Second, why the security risk of connecting to HTTPS-HTTP

HTTP protocol is a very simple and efficient protocol, most of the mainstream applications of the Internet use HTTP by default. Due to the limitations of performance and the environment used in the 1990s, HTTP itself is not a protocol designed for security, there is neither identity authentication nor consistency checking. The biggest headache is that all the content of HTTP is transmitted in plaintext.

On the other hand, the development of the Internet is also changing with each passing day, and a variety of HTTP applications continue to infiltrate into all aspects of people's lives. Whether it is social, shopping, finance, games, or search, these HTTP services can bring people great convenience and improve the quality of life and efficiency.

Obviously, HTTP is closely related to people's life and economic interests. Unfortunately, it is not safe. Which means that there must be huge security risks hidden here. These hidden dangers are mainly reflected in the following two aspects:

1. Privacy disclosure

Because HTTP itself is plaintext transmission, the content of transmission between the user and the server can be viewed by the middleman. In other words, the information you search, shop, visit, click on and other information on the Internet can be obtained by the "middleman". As most of the Chinese people do not pay much attention to the protection of privacy, the risk here is relatively hidden, and the consequences of injury are not good for quantitative assessment. Some of the more serious privacy breaches known include:

QQ landing status is stolen by lawbreakers, and then landing in different places, advertising and fraud.

The user's mobile phone number and identity information are disclosed.

The user's online behavior is compromised. For example, if you search a hospital, someone will soon call to promote it (non-effective advertising).

2. Page hijacking

The risk of privacy disclosure is relatively hidden, and users basically do not perceive it. But the impact of another type of hijacking is very obvious and very direct-page hijacking, that is, directly tampering with the user's browsing page. Many pages are hijacked simply and rudely, directly inserting third-party advertisements or traffic prompts from operators.

However, some hijackings are more covert, such as the following JD.com page hijacking: the image above is a page using HTTP, and a shopping recommendation appears in the place shown by the top arrow, which is very realistic, just like JD.com or the official browser tool.

But for HTTPS access, there is no such tool page, which is obviously hijacked.

3. Hijacking path and classification

So how did hijacking come about? Technically speaking, it is relatively simple to monitor and tamper with the content where it passes through. However, in order to find out the whole hijacked industrial chain clearly, it is difficult to go deep into the underground industry. One thing is for sure, most hijackings take place in the middle of the network node, also known as "MITM, man in the middle". As shown in the following figure:

Because the information transmission needs to go through the above-mentioned "man-in-the-middle node", and they have read and write access to the information, if the information is not encrypted or verified, then want to view privacy and tamper with the page, it is easy for the "middleman".

What are the main categories of hijacking? According to the hijacking path, it is mainly divided into three categories as shown in the following figure:

DNS hijacking, client hijacking and link hijacking. According to our incomplete statistics, the vast majority of hijackings encountered by businesses (90%) are link hijackings.

3. HTTPS is a nuclear weapon to solve link hijacking.

Why can HTTPS solve link hijacking well? Mainly three major weapons:

1. Identity authentication-anti-counterfeiting and non-repudiation

Each time a new HTTPS connection is established, the identity needs to be authenticated to ensure that the user is visiting the correct destination site.

2. Content encryption-Anti-eavesdropping

Content encryption means that the end-to-end communication content is all ciphertext, the middleman can not directly see the plaintext, all the application layer content of HTTPS is encrypted and decrypted through symmetric encryption.

3. Consistency check-tamper proof

The MAC code of the data and the shared key is used to prevent the middleman from tampering with the message content and ensure the consistency of the data.

IV. Pain of HTTPS Popularization

In fact, HTTPS was born in 1995 and is a very old and mature protocol. At the same time, it can prevent content hijacking and protect users' privacy. But why is there still a majority (about 66%) of websites that do not support HTTPS and only use HTTP?

The main reasons that affect the popularity of HTTPS can be summarized as two words: "slow" and "expensive".

1. Slow

Without any optimization, HTTPS will seriously slow down the access speed of users. The main factors include:

The network takes time. Due to the provisions of the protocol, the network transmission must be carried out. For example, SSL complete handshake, 302 jump and so on. In the worst case, seven RTT may be added.

The calculation takes time. Both the client and the server need to carry out symmetrical encryption and decryption, protocol parsing, private key calculation, certificate verification and other calculations, increasing a lot of computing time.

2. Expensive

The high cost of HTTPS is mainly reflected in the following three aspects:

Server cost. The private key calculation of HTTPS will lead to a sharp decline in server performance, even less than 1/10 of HTTP protocol, that is to say, if the performance of HTTP is 10000cps, the performance of HTTPS may only be a few hundred cps, which will increase the server cost several times or even dozens of times.

Certificate cost. Depending on the number and type of certificates, it may cost hundreds to millions of certificates a year.

Development and operation costs. HTTPS protocol is relatively complex, and security BUG often occurs in the open source implementation of openssl, including protocol configuration, certificate update, expiration monitoring, client compatibility and a series of problems that need to be followed up by technicians with professional background.

5. Performance optimization of Tencent Cloud load balancer HTTPS

Tencent Cloud load balancer is deeply optimized for the pain points in the promotion and application of HTTPS. Let's take a closer look at these optimizations in detail:

1. Optimization of access speed

As mentioned earlier, HTTPS is very slow, and we optimize the access speed mainly from two levels: the protocol stack and the front and back end resources.

Full-link protocol stack optimization

HTTPS can be thought of as HTTP over SSL, and HTTPS uses TCP protocol for transmission, so the optimization of the entire protocol stack involves three levels:

TCP optimization. It includes the adjustment of congestion window, the support of tcp fast open,reuseport and the support of the latest BBR congestion control algorithm.

SSL protocol optimization. Distributed session cache, session ticket,False start, ocsp stapling file, dynamic record size, etc.

The most important goal of SSL protocol optimization is to increase the proportion of simplified handshake. Tencent Cloud improves the simplified handshake ratio of SSL by implementing global session cache and global session ticket, saving user access time and computing resources.

3. Application layer protocol optimization. Support SPDY,HTTP2,HSTS and so on at the same time.

The biggest advantage of HTTP2 over HTTP1.X is multiplexing, which can send multiple HTTP requests through a TCP connection in parallel. Compared with HTTP1.X serial transmission, there is no doubt that the performance is greatly improved.

Because HTTP2 is inherited from SPDY, some older clients only support SPDY, not HTTP2. Most of the new clients only support HTTP2, not SPDY. To be compatible with the performance of both new and old clients, Tencent Cloud supports both SPDY and HTTP2 to maximize the performance of new and old clients.

Front and rear optimization

The biggest feature and advantage of HTTP2 and SPDY is multiplexing, which can send multiple requests in parallel over a single connection. Although this feature is powerful, the effect of multiplexing will be limited if traditional HTTP optimization strategies are still used. For example, domain name fragmentation, pipline and so on will affect the effect of multiplexing. Therefore, through many data experiments, we have adjusted some front-end resources, including the back-end access strategy:

The domain name is returned. Through the analysis of page resources and performance, it is true that the domain name recovery scheme, such as no more than 3 mobile pages.

Pre-built connections. STGW provides pre-connection pages. By analyzing the user behavior of hot pages, connections are established in advance to reduce the impact of protocol overhead on the user experience.

Uninstall HTTPS nearby through Tencent Cloud's CDN and IDC nodes all over the world.

2. Optimization of computing performance

Tencent Cloud has optimized the computing performance of HTTPS from three aspects, including:

Try to reduce the occurrence of complete handshake and increase the proportion of simplified handshake. For example, the global sessioncache and session ticket mentioned earlier.

For the inevitable complete handshake, Tencent Cloud implements RSA asynchronous proxy computing. Through the modification of the protocol stack and the use of SSL hardware accelerator card, the computing power and anti-attack capability of HTTPS are greatly improved.

The symmetric encryption calculation process is also optimized in the use of the scene.

Let's introduce it in more detail:

RSA Asynchronous Agent Computing

Tencent Cloud focuses on optimizing the asymmetric key exchange algorithm, which consumes the most serious performance of HTTPS. The optimization idea mainly includes the following three parts:

Algorithm separation. Is to strip out the algorithm that consumes the most CPU resources, so as not to consume the local CPU resources.

Agent computing. Use an idle CPU machine or a special SSL hardware accelerator card to complete the RSA calculation.

Execute asynchronously. When traditional openssl is doing RSA, the upper applications, such as NGINX, need to wait synchronously. This step is also very influential, and must be modified asynchronously, so that when accelerating the RSA calculation of the cluster, the access server can also access the requests of other users to improve its throughput capacity.

Through the in-depth modification of the openssl handshake protocol stack and the RSA computing performance of the SSL hardware accelerator card, the SSL computing power of Tencent Cloud CLB has been improved by 350%. The processing performance of stand-alone ECDHE_RSA reaches 65000 cps.

Automatic optimal selection of symmetric encryption algorithm

Match the optimal symmetric encryption algorithm according to the application scenario:

For streaming content such as video, aes-gcm is preferred.

Use chacha20-poly1305 for mobile terminals that do not support aes-ni hardware acceleration instructions.

For antique clients such as IE6, the RC4 algorithm is used.

3. Parallel unloading of the protocol

CLB supports access and uninstallation of all mainstream HTTP protocols. These include:

Http1.0/http1.1

Http2 and its predecessor spdy3.1

Https, including ssl3.0, tlsv1.0,tlsv1.1,tlsv1.2

Websocket and secure websocket.

Tcp,udp transparently forwards.

CLB can uniformly convert the above layer 7 protocols into HTTP1.1, which can be transmitted to the service through. The benefits to the business are also obvious: HTTPS and HTTP2 can be used at 0% development cost, greatly reducing the pressure to adapt to various protocols and clients.

4. Security

The areas and scenarios involved in security are very large. Although HTTPS can completely solve link hijacking, it is powerless to deal with the following two kinds of problems:

CC attacks, especially HTTPS computing attacks, will lead to a sharp decline in the performance of HTTPS, introducing greater security risks.

Business security, including SQL injection, XSS cross-site, website horse, etc.

Both of these are high-risk security issues that often haunt the business.

To solve the above problems, Tencent Cloud has also designed and implemented a security system against CC and WAF for HTTPS, which can effectively defend against such security risks.

After reading the above, do you have any further understanding of how to analyze the HTTPS protocol in depth? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.