Baidu Full-site HTTPS FAQ: Technology house tells you how to search more secure

Baidu since 14 began to open up the access to HTTPS, and at the beginning of March formally to the entire network users HTTPS jump.

You may ask, switch on the switch Bai, and I have what relationship? I usually use Baidu still not as usual entreat, did not feel what switch.

In other words, we usually breathe air also shun Shunliu slip, no feeling, but if there is no air, it will not be happy life. The importance of HTTPS for Internet security is just like the importance of air to our human beings. Baidu after the entire station switch to HTTPS, we can be happy to search, happy Internet.

HTTPS is how to achieve let us more secure, let Baidu technology house to a depth secret:
What is the problem 1:https? Do I have to use HTTPS?

HTTPS is an HTTP over SSL (secure Socket Layer), which is simply the secure version of HTTP, which guarantees the security of the transmission process by transmitting encryption and authentication on the basis of HTTP. Most of the websites you visit are HTTP, and the simplest way to do this is to see if the URLs start with or https://.

The following are some of the effects of chrome,firefox,ie10 when using HTTPS.

Notice the green part of the picture, and we'll talk about it later.

To learn more about HTTPS, you can read the HTTPS practice of large Web sites (i) –HTTPS protocols and principles
Question 2:https Why is it safer than HTTP? Does HTTPS encryption require me to install a certificate/Save password on my computer?

HTTP without "s" is not secure, primarily because it transmits plaintext content and does not authenticate both sides of the transmission. You can see the contents of the transmission and even modify it in any part of the data transfer path. For example, an article "What do I do after I attack the girl next door", a lot of the attacks are done by analyzing the contents of HTTP. And in real life, you are likely to divulge your forum Premium membership account/password, game VIP account/password, privacy chat content, mail, online shopping information, and so on. It is too horrible to have wood there!

HTTPS is safe because he uses the SSL/TLS protocol to transmit. For a simple example, the American army found that the code was often tapped and cracked by Japan, and recruited 29 Indiana Wachow as Yidian, because the language was only understood by their people. Even if the Japanese eavesdrop on the message, but can not understand the content is useless, want to forge a command also do not know, modify some content, the Indians looked, will certainly say (Shen) not (Me) understand (GUI). See here, you must have found that this is based on both sides have the understanding of the language (encryption and decryption rules) of the people, then I need to install what key or certificate on my computer? General situation as ordinary users do not consider these, we have operating systems, browsers, mathematicians, security and network engineers and so on, to help you have done, rest assured that the browser to open the good.

If you are really curious, want to know how to encrypt the two sides without the same key, you can search under "Public key Encryption" (asymmetric Encryption), "RSA", "DH Key Exchange", "SSL Principle" "Digital certificate" and other keywords.

A friend will think, is not encryption, I can break the WiFi password, find a tool minutes on the cracked. This is not the right idea, although there is no absolute security, but can greatly increase the cost of the crack, HTTPS is currently using the encryption method is a huge amount of computing (according to the computing power of the current computer) can be cracked, you will use the world's strongest supercomputer spent 100 years (just a metaphor) to decrypt , look at what the king of the next door searched for on Baidu 100 years ago.


Question 3: Why does Baidu have to be on HTTPS?

We handle user complaints every day, such as:

page appears white page/Some strange things appear

Returned 403 of pages

No search.

Search URL with a small tail, the page will always flash several times

Page pop-up ads

Search for a car, someone called me to sell 4s stores and insurance.

...

All kinds of strange situations have met please raise your hand.

Check to find out, a large part of the reason is that some bad people in the transmission of data in the process of modifying Baidu's page content, tapping the user's search content. Quietly tell you, HTTPS is able to solve such problems of technology oh, quickly change the browser homepage to https://www.baidu.com Bar.

From the direction, HTTPS is also the trend of the future, the current use of HTTP or 1.1/1.0 version of the new version of the HTTP2.0 has been released. The standard involves cryptographic specifications, although not enforced in the standard, but there are already many browser implementations claiming that they will only support HTTP2.0 (https://http2.github.io/faq/#does-http2-require-encryption) based on encrypted connections.


Problem 4:https Not just add an S behind HTTP, is it difficult?



Difficult, but not difficult.

It contains certificates, offload, traffic forwarding, load balancing, page adaptation, browser adaptation, refer delivery, and more. I certainly don't have enough fingers to count.

For an ultra-small personal site, technical residence 1 days can be done from the application certificate to the completion of the transformation. If it is built from scratch, it will be easier.

But for Baidu search this big fat paper, can be difficult.

1 It wasn't designed for HTTPS at first.

2 rich content (the content itself manifests many forms: the picture, the video, Flash,form and so on), the kind is rich (on the page except the natural result, has the video, the picture, the map, the bar paste, the encyclopedia, the third party's content, the app and so on).

3 data sources are complex, with dozens of internal product lines, hundreds of domain names, and thousands of developer content

400 degrees in the country, and even the world has a lot of IDC and CDN nodes, have to be covered.

5 still can not slow down the speed of Baidu (domestic use of HTTPS bank, online trading site, have you felt very slow?) )

6 HTTPS on the original is for a better experience, can not lead to the use of instability.

...

For more details, you can read the HTTPS practice of large Web sites (iv) – Practices beyond the Protocol layer [1]

Google has spent 1-2 years deploying HTTPS, and it took 3 months to upgrade the certificate from 1024 to 2048 in 13. Baidu also last year opened the entrance and small flow, but this year in March to carry out the full volume, you can imagine the overall complexity.


Question 5: How to look at Baidu search support full station HTTPS?

Several large foreign sites are HTTPS, which is the trend of the Internet in the future (interested students can search under ' HTTP/2 ').

For Baidu itself, HTTPS can protect the user experience, reduce the hijacking/privacy leak to the user's harm.

Many people will have doubts, I have not been hijacked, Baidu on the role of HTTPS, but let me slow down some. From our first-hand data can be seen, the impact of hijacking is growing, in the legal system is not a sound environment, it is regarded as an industry, many companies to its livelihood, many of the entrepreneurial team also got the VC. When it really hurts you, you may ask us why we don't do something. So, we prefer to face it earlier.

HTTPS in the domestic large-scale site is currently only used in part of the account landing and payment links. Baidu is also the country's first full-site HTTPS large site, its users are very many, traffic is also very large. Baidu can be on-line HTTPS will dispel everyone's doubts, the other domestic site is a good demonstration, this leading role will significantly accelerate the process of domestic internet HTTPS, help China's Internet network security construction. Baidu as a search engine, is the flow of the entrance and distribution channels, follow-up if the site content of HTTPS crawl, mark, weighted value tilt, then more can guide the Internet site to HTTPS migration.


Is the problem 6:https slow?

Heavy computations and multiple interactions naturally affect the access speed of HTTPS. If any optimizations are not done, HTTPS will be significantly slower. Baidu has done a lot of speed optimization under the conditions, if the site itself has done the conventional optimization, but not for HTTPS optimization, in this case we measured the result is 0.2-0.4 seconds time-consuming increase. If there is no optimized site, slow 1 seconds is not a dream. As for the slow now, we have experienced so many days, have feelings?

Answer: A slow death, what are you doing? B Some slow ah C is OK, basically no sense D what, I have used https?

Did you choose C or D? Hello, the one who chose a you open the other site slow, not before on the HTTPS time slow ... The Old king next door is rubbing your net.

So, not slow, is not optimized.


Problem 7:https consumption performance?

The answer is, the handshake, the time to build a good connection after the less consumption. Depending on the current encryption strength calculation cost, the server support handshake performance will be reduced by 6-8 times, but if the connection is established, the server will almost be able to hold the network card full of HTTPS traffic. So the enhancement of the connection multiplexing rate and the optimization of computational performance are the key points. Can read the HTTPS practice of large Web sites (iii) – Protocol and configuration based optimization


Question 8: What is the hijacking?

Your computer, the DNS you set up, your browser, the network you use, are likely to be hijacked.

Simple and introduce how the carrier's content hijacking is carried out, the operator will analyze your network request, it can be before the site back to the package, you can also modify the contents of the packet. So it allows you to jump once, add a small tail on the URL, you can also pop up the ads on the page you visit.

Interested, you can also use this article to see how your computer was the LSP hijacked "dark cloud Trojan"


Does the problem 9:https solve all hijacking problems?

As the saying goes, there is a beginning, we say the article began to say the green mark on the browser. It marks the level of trust that this secure connection can have. Green is usually good, and yellow is a source of unsafe information, such as HTTP loading on HTTPS pages, so that HTTP resources are at risk of being hijacked.

In fact, the client, LAN risk is also very large, malicious plug-ins, Trojans can do a lot of things, you use the router, DNS is also relatively fragile. If a large website is marked red, then you have to be more careful (or maybe a monkey forgot to renew the certificate, causing the certificate to expire), you may have suffered an SSL hijack (one of the man-in-the-middle attacks), especially when prompted (access to some of your own signature site will also have a similar hint). There are other types of man-in-the-middle attacks, such as proxies for your traffic to degrade HTTP, you can also use the injection root certificate, you can make your browser or green mark, you are afraid of fear?

Still, there is no absolute security, but we can minimize the risk.

HTTPS is able to guarantee the security of Internet access in most cases, which is what we can do now.

Baidu Full-site HTTPS FAQ: Technology house tells you how to search more secure