Shulou(Shulou.com)06/01 Report--

Why is your access behavior and privacy data suddenly stolen? Why did the domain name go wrong, but it ended up on a phishing website? Security incidents such as user data leakage, traffic hijacking, page tampering, etc. occur frequently. After Baidu enabled HTTPS encryption...

Why is your access behavior and privacy data suddenly "stolen"? Why did the domain name go wrong, but it ended up on a phishing website? Security incidents such as user data leakage, traffic hijacking, page tampering, etc. occur frequently.

After Baidu enabled HTTPS encryption, Alibaba's Taobao & Tmall Mall also enabled HTTPS. In the past few years, Google has changed Google Search, Gmail, YouTube and other products from HTTP protocol to encrypted HTTPS protocol. In December 2015, Google announced that it would adjust Google Search's index system, and the adjusted index system would make HTTPS web pages a priority index object. Why can HTTPS achieve anti-hijacking, anti-tampering effect, what are the advantages?

What is HTTPS? Let's make it a simple popularization first. Please skim ~~

HTTPS(Secure Hypertext Transfer Protocol) is a secure communication channel developed based on HTTP for exchanging information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which is simply a secure version of HTTP, the HTTP protocol encrypted using TLS/SSL.

HTTP protocol uses plaintext to transmit information, which has the risk of information eavesdropping, information tampering and information hijacking, while TLS/SSL protocol has the functions of identity authentication, information encryption and integrity verification, which can avoid such problems.

TLS/SSL full name Transport Layer Security protocol (Transport Layer Security), is a layer between TCP and HTTP security protocol, does not affect the original TCP protocol and HTTP protocol, so the use of HTTPS basically does not require too much modification of HTTP pages.

The principles and advantages of HTTPS have been discussed above, but by adding new protocols to achieve more secure communication, there is bound to be a price to pay. The performance loss of HTTPS protocol is mainly reflected in the consumption of more CPU resources and the increase of latency.

HTTPS latency is characterized by smaller latency as the service node is closer, and CDN is naturally closest to the user. Therefore, choosing CDN as the entry point for HTTPS access will greatly reduce access latency. However, because HTTPS requires complex encryption and decryption actions, it consumes a lot of computing resources compared to HTTP, and encryption and decryption will also consume longer transmission time, making HTTPS websites face greater challenges in loading and transmission than ordinary HTTP websites.

HTTPS acceleration solutions, basically there are the following:

1. HTTPS certificate acceleration: The source site provides certificates, including public key certificates and private keys. CDN is responsible for interaction and content caching. If CDN has caching, it responds directly and returns to the source in the form of HTTP or HTTPS. This seriously violates the basic principle of PKI security trust, that is, the private key must be strictly confidential and cannot be shared with third parties. Although there are alternative schemes that do not require users to share private keys, such as using custom certificates or shared certificates, key management is complex, customer websites cannot revoke their authorization to CDN vendors independently, and CA, as a trusted third party, does not revoke shared certificates that reflect authorization relationships.

2. Certificateless https acceleration: The source site does not need to provide a certificate, the client is unaware, the CDN stores the public key, and the source site stores the private key. This scheme does not require the source website to share the private key with the CDN, but in the process of TLS authentication and key negotiation between the CDN and the front-end browser, the information in the negotiation process is forwarded to the source website in the form of HTTP or HTTPS through a secure channel, and the source website extracts the session key or completes the signature before submitting it to the CDN node.

HTTPS data channel acceleration: The user requests CDN, and CDN accelerates the network with unique data, and sends the data to the access point closest to the source station with the optimal path, and the node close to the source station sends the request to the source station. In this scheme, CDN does not cache, only uses its own acceleration network to quickly send user requests to the source site, reducing public network latency.

Internet origin sites can flexibly choose the above solutions according to their own needs. Solution 1 is only applicable to origin sites that have requirements for anti-hijacking and anti-tampering and are willing to provide certificates to CDN. Solution 2 is suitable for acceleration of origin sites with higher security requirements and unwilling to share private keys with CDN. Solution 3 is applicable to pure dynamic data, CDN can not cache the source site acceleration. At present, the CDN vendors on the market can basically support Scheme 1, while Scheme 2 and Scheme 3 have only a few supports, and in the support of Scheme 2, the mainstream CDN vendors are HTTP back-to-source, failing to achieve full HTTPS acceleration.

As the source website has higher security, higher tamper-resistance, and higher anti-hijacking requirements for user access information in the transmission process, the entire site, including static and dynamic content, will support HTTPS, and the requirements for CDN will be higher.

Driven by major technology companies around the world, HTTPS encrypted communication has gradually become the mainstream network communication protocol. In 2016, HTTPS acceleration will take off!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.