Let’s talk about the technical challenges of full-site HTTPS

Let’s talk about the technical challenges of full-site HTTPS

The article I wrote recently discussed the issue of data transmission security, and the last part mentioned the solution to data transmission security through HTTPS. Then a new question arises: what technical problems may we encounter in the process of implementing HTTPS throughout the site? So today, let's do the math together and sort out the technical costs.

[[205578]]

Preparation

  1. Purchase a certificate. Websites using HTTPS need to apply for a security certificate. It is still quite cumbersome and has some costs for small companies. In addition, you must choose a formal organization, otherwise your website will be prompted with a big warning when you use a mainstream browser, such as Chrome, to access it, telling users that there is a problem with the certificate.
  2. All resources on the page must be changed to https, including: pictures, js, form forms, etc., otherwise the browser will alarm.
  3. Make sure that all CDN nodes used support HTTPS. If you build your own IDC, you must ensure that all IDC and CDN nodes across the country and even the world are covered.

Common solutions for CDN using https are:

  1. The website owner provides the private key to the CDN, and HTTP is used to return to the source.
  2. CDN uses a public domain name and a public certificate, so the domain name of the resource cannot be customized. Back to the source uses HTTP.
  3. Only dynamic acceleration is provided, CDN performs TCP proxy and does not cache content.
  4. All development and testing environments must be upgraded to https to ensure that all levels of environments maintain the same set of network protocols.

Performance Challenges

After making the above technical preparations, we must also be aware of the performance issues that come with implementing HTTPS:

1. Network time consumption increases. Simply put, more handshakes are required, network time consumption becomes longer, and it takes some time for users to jump from http to https.

For the optimization of this area, there are optimization solutions such as Session ticket or Session Cache, but each has its own advantages and disadvantages.

2. The calculation time increases, and better machine performance is required. https needs to perform an additional RSA check.

The main ways to optimize this area are to adopt the latest openssl protocol, use hardware acceleration, give priority to ECC keys, etc.

Security Challenges

Regarding this area, common security risks include: downgrade attacks and renegotiation attacks.

For the former, the attacker forges or modifies the "client hello" message, causing the client and server to use a relatively weak encryption suite or protocol to complete the communication. For the renegotiation attack, the attacker takes advantage of the weak security algorithm after negotiation to try to steal the transmission content, and can continuously initiate full handshake requests, triggering the server to perform high-intensity calculations and causing service denial.

Of course, with the efforts of infrastructure vendors or cloud vendors, general business users like us don’t need to worry about security issues at the protocol layer. The purpose of my raising this issue here is to make it clear that security issues can never be relaxed.

Final Thoughts

Switching to HTTPS is an inevitable trend. I believe that more and more sites will join in, and once completed, it will bring us huge benefits. For our technical team, before implementation, we must consider the technical costs behind it, make corresponding technical reserves, and prepare the online process of switching from HTTP to HTTPS to ensure that everything is foolproof.

<<:  10+ Apps You Must Uninstall During the National Day Holiday

>>:  2017 Big Data Festival is coming in October, iResearch A10 Summit will open on the 27th

Recommend

What surprising technologies did Google kill off in 2015?

In today's article, we will take a look at 15...

The secret to operating Xiaohongshu and gaining traffic from popular articles!

In the new year, first of all, I wish you all a h...

Top 10 Arduino Embedded Development IDEs, Must-Haves for Hardware Engineers!

As we all know, Arduino is the most popular open ...

Android Webview Java and Javascript safe interaction

Recently, I need to detect the source code of a w...

Alibaba invests $50 million in remote control app, playing a big game

In addition to focusing on the e-commerce field, ...

The master teaches you how to play with Excel and gain efficient life lessons

Different from the boring traditional teaching me...

Does brand upgrading mean changing the logo?

Brand upgrading is not as simple as changing a lo...

When AI meets quantum computing, will it trigger a scientific revolution?

We can call it the Avengers of future computing. ...

"Reaching 2000℃! We are now in the lead..."

Qu Wei, member of the National Committee of the C...

Taobao Live is not a panacea!

At the end of last year, I was still attending va...