Shulou(Shulou.com)06/02 Report--

1 preface

HTTPS plays a key role in protecting users' privacy and preventing traffic hijacking, but at the same time, HTTPS will also reduce the speed of user access and increase the consumption of computing resources on the website server.

This article mainly introduces the impact of https on user experience.

2 the concept and difference between HTTP and HTTPS

(1) HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is a security-oriented HTTP channel, which is simply the secure version of HTTP. That is, the SSL layer is added under HTTP, and the security basis of HTTPS is SSL, so the details of encryption need SSL. It is a URI scheme (abstract identifier system), syntactic class is the same as http: system. For secure HTTP data transfer. Https:URL indicates that it uses HTTP, but HTTPS has a default port different from HTTP and an encryption / authentication layer (between HTTP and TCP). Originally developed by Netscape, the system provides authentication and encrypted communications, and now it is widely used in secure and sensitive communications on the World wide Web, such as transaction payments.

(2) Hypertext transfer Protocol (HTTP-Hypertext transfer protocol) is a data transfer protocol that specifies the rules of communication between browsers and World wide Web servers and transmits World wide Web documents over the Internet.

(3) for https protocol, you need to apply for a certificate from ca. Generally, there are few free certificates, and you need to pay a fee.

Http is a hypertext transfer protocol, information is plaintext transmission, and https is a secure ssl encrypted transmission protocol.

Http and https use completely different connections and different ports, the former being 80 and the latter 443.

The connection of http is very simple and stateless. HTTPS protocol is a network protocol built by SSL+HTTP protocol for encrypted transmission and identity authentication, which is more secure than http protocol.

3 influence of HTTPS on access speed

Before introducing the speed optimization strategy, let's take a look at the impact of HTTPS on speed. The impact mainly comes from two aspects:

The network RTT (round trip time) added by protocol interaction.

The computation related to encryption and decryption takes time.

Let's introduce each of them.

3.1 increased network time

Since both HTTP and HTTPS require DNS resolution, and DNS cache is used in most cases, the DNS resolution time of the primary domain name is ignored in order to highlight the comparison effect.

When a user accesses http://www.baidu.com( or www.baidu.com using the HTTP protocol, the interaction on the network takes time as follows:

Figure 1 time consuming of the network for the first request of HTTP

It can be seen that users only need to complete the TCP three-way handshake to establish a TCP connection to directly send HTTP requests to obtain application layer data. In addition, there is no need to consume computing resources in the whole access process.

Next, let's take a look at the access process of HTTPS. It is much more complicated than HTTP. In some scenarios, it is possible to add 7 RTT to access using HTTPS. As shown below:

Figure 2 impact of HTTPS first request on access speed

The network time required for the first HTTPS request is explained as follows:

1. Establish a TCP connection with a three-way handshake. It takes one RTT.

2. Use HTTP to initiate a GET request, and the server returns 302 to jump to https://www.baidu.com. A RTT and 302 jump delay are required.

A) in most cases, users will not manually enter https://www.baidu.com to access HTTPS, and the server can only return 302 to force the browser to jump to https.

B) it also takes time for the browser to process the 302 jump.

3. Re-establish the TCP connection with a three-way handshake. It takes one RTT.

A) after jumping to the HTTPS server, it is necessary to re-complete the three-way handshake and establish a TCP connection due to the different port and server.

4, TLS complete handshake stage 1. Takes at least one RTT.

A) this stage is mainly to complete the negotiation of the encryption suite and the identity authentication of the certificate.

B) the server and browser will negotiate the same key exchange algorithm, symmetric encryption algorithm, content consistency verification algorithm, certificate signature algorithm, elliptic curve (non-ECC algorithm is not required), and so on.

C) after obtaining the certificate, the browser needs to verify the validity of the certificate, such as whether it expires and whether it is revoked.

5. Parse the DNS of the CA site. It takes one RTT.

A) after the browser has obtained the certificate, it may need to initiate an OCSP or CRL request to query the certificate status.

B) the browser first obtains the CA domain name in the certificate.

C) if the cache is not hit, the browser needs to resolve the DNS of the CA domain name.

6. Establish a TCP connection to the CA site with a three-way handshake. It takes one RTT.

A) after DNS parses to IP, you need to complete the three-way handshake to establish a TCP connection.

7. Initiate an OCSP request and get the response. It takes one RTT.

8, complete handshake phase 2, which takes a RTT and computing time.

A) the second stage of complete handshake is mainly key negotiation.

9. After the complete handshake, the application layer (that is, HTTP) data transfer occurs between the browser and the server.

Of course, not every request requires seven additional RTT to complete the first HTTPS request interaction. Probably less than 0.01% of requests are likely to go through the above steps, and they need to meet the following conditions:

1, it must be the first request. That is, the first request initiated after the establishment of a TCP connection, and the above behavior does not need to occur for subsequent requests on the connection.

2. A full handshake must occur, and normally 80% of requests can achieve a simplified handshake.

3. The browser needs to enable the OCSP or CRL function. Chrome turns off ocsp by default, and both firefox and IE are enabled by default.

4, the browser missed the OCSP cache. The general update cycle of Ocsp is 7 days, and the query cycle of firefox is also 7 days, that is, ocsp queries occur only once in 7 days.

5. The browser missed the DNS cache of the CA site. The DNS of CA will be parsed only if the DNS cache is missed.

3.2 increase in calculation time

The previous section only briefly describes the pure network time that must be consumed on the critical path of HTTPS, excluding the calculation time that consumes CPU resources very much. In fact, the calculation time is not small (above 30ms). Let's introduce it from the perspective of browser and server:

1. Browser calculation takes time

A) check the signature of the RSA certificate. The browser needs to decrypt the signature and calculate the hash value of the certificate. If there is more than one certificate chain, the browser needs to verify multiple certificates.

B) for RSA key exchange, you need to use the certificate public key to encrypt premaster. It takes less time, but if the performance of the phone is poor, it may also take 1ms time.

C) in ECC key exchange, the public and private keys of the elliptic curve need to be calculated.

D) when exchanging ECC keys, you need to use certificate public key decryption to obtain the ECC public key sent by the server.

E) in ECC key exchange, the master key needs to be calculated according to the server public key.

F) symmetrical encryption and decryption of application layer data.

G) Application layer data consistency check.

2. Server computing takes time

A) for RSA key exchange, you need to use the certificate private key to decrypt premaster. This process consumes very much performance.

B) in ECC key exchange, the public and private keys of the elliptic curve need to be calculated.

C) for ECC key exchange, the public key of ECC needs to be encrypted with the certificate private key.

D) in ECC key exchange, the shared master key needs to be calculated according to the browser public key.

E) symmetrical encryption and decryption of application layer data.

F) Application layer data consistency check.

Because there are many kinds of CPU and operating systems on the client side, the computing time can not be generalized. HTTPS computing on mobile phones consumes more performance, and the latency of computing alone is at least above 50ms. The PC side will also increase the calculation delay at least above 10ms.

The performance of the server is generally strong, but because the length of the private key of the RSA certificate is much longer than that of the client, the computing delay of the server will also be higher than 5ms.

4. Advantages and disadvantages of HTTP and HTTPS: 4.1 advantages of HTTPS:

Security aspect

In the current technical context, HTTPS is the most secure solution under the current architecture, with the following main benefits:

1. Use HTTPS protocol to authenticate users and servers to ensure that data is sent to the correct clients and servers

2. HTTPS protocol is a network protocol constructed by SSL+HTTP protocol for encrypted transmission and identity authentication, which is more secure than http protocol. It can prevent data from being stolen and changed in the process of transmission, and ensure the integrity of data.

3. HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.

4.2 disadvantages of HTTPS:

Technical aspect

1. In the same network environment, HTTPS protocol will increase the loading time of pages by nearly 50% and increase power consumption by 10% to 20%. In addition, the HTTPS protocol also affects the cache, increasing data overhead and power consumption.

2. The security of HTTPS protocol has a scope, and it can hardly play a role in hacker attacks, denial of service attacks, server hijacking and so on.

3. The most important thing is that the credit chain system of SSL certificate is not safe. Man-in-the-middle attacks are also feasible, especially when some countries can control the CA root certificate.

Cost aspect

1. The professional certificate of SSL needs to be purchased. The more powerful the certificate, the higher the fee. Personal websites and small websites can choose an entry-level free certificate.

2. SSL certificates usually need to be bound with a fixed IP. Adding a fixed IP to the server will increase the cost.

3. The resource consumption of HTTPS connection server is higher and higher, which will increase the bandwidth and server input cost under the same load.

Since HTTPS has so many shortcomings, it should not be done, of course not, with the development of technology, many shortcomings can be optimized and remedied. For example:

The problem of opening speed can be solved through CDN acceleration, and many IDC are also launching free certificates and one-stop HTTPS building services. The cost of HTTPS will be greatly reduced in the future!

Are we going to be HTTPS or not?

The survey found that most people have a wait-and-see attitude towards HTTPS, and they agree with HTTPS security, but after considering it at all levels, they have made the decision not to do HTTPS website at present, mainly from the following two points of view:

Square point of view

1. HTTPS has better encryption performance to avoid the disclosure of user information.

2. HTTPS's complex transmission mode to reduce the risk of website hijacking.

3. Search engines have fully supported HTTPS crawling and inclusion, and will give priority to displaying HTTPS results.

4. From a security point of view, I think it is necessary to do HTTPS, but HTTPS can be displayed after login.

5. HTTPS green lock indicates that it can enhance users' trust in the website.

6. The basic cost can be controlled, and the certificate and server already have a formed support scheme.

7. Website loading speed can be compensated by cdn and other methods, but security cannot be ignored.

8. HTTPS is the development trend of the network, which should be done sooner or later.

9. It can effectively prevent copycat and mirror websites.

Opposing point of view

1. HTTPS will slow down the access speed of users and increase the consumption of computing resources on the website server.

2. At present, search engines only include a small part of HTTPS content, so we should keep the wait-and-see system.

3. HTTPS needs to apply for encryption protocol, which increases the operating cost.

4. At present, Baidu's priority display effect on HTTPS is not obvious, while Google is more obvious.

5. The technical threshold is high and there is no way to start.

6. Currently, the site does not involve private information and does not need HTTPS.

7. Compatibility needs to be improved, such as robots does not support / alliance advertising does not support, etc.

8. The security of HTTPS website is limited, whether it should be hacked or hacked.

9. HTTPS maintenance is troublesome. When search engines support HTTP, there is no need to do HTTPS.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.