HTTPS practices for large websites (I): HTTPS protocol and principles

HTTPS practices for large websites (I): HTTPS protocol and principles
1 Preface

Baidu has launched a full-site HTTPS Secure Search recently. By default, HTTP requests are redirected to HTTPS. This article focuses on the HTTPS protocol and briefly introduces the significance of deploying full-site HTTPS.

Seven misunderstandings about HTTPS

Use httpd + OpenSSL to implement https for websites

Simple configuration of HTTPS authentication access

Deploy an HTTPS website using Nginx to configure an SSL Certificate

Background and basis of HTTPS and SSL/TLS protocols

2 HTTPS protocol Overview

HTTPS can be considered as HTTP + TLS. HTTP is widely used. Currently, most WEB applications and websites use HTTP for transmission.

Transport Layer (TLS) is a transport layer encryption protocol. Its predecessor is the SSL protocol. It was first published by netscape in 1995 and changed to TLS after being discussed and standardized by IETF in 1999. Unless otherwise specified, SSL and TLS both use the same protocol.

The position of HTTP and TLS on the protocol layer and the composition of the TLS Protocol are as follows:

Figure 1 TLS Protocol format

The TLS Protocol consists of five parts: application data layer protocol, handshake protocol, alarm protocol, encrypted message validation protocol, and heartbeat protocol.

The TLS protocol itself is transmitted by the record protocol. The format of the record protocol is shown in the rightmost.

Currently, the commonly used HTTP protocol is HTTP1.1. the commonly used TLS Protocol versions include TLS1.2, TLS1.1, TLS1.0, and SSL3.0. SSL3.0 has been proved insecure due to the POODLE attack, but statistics show that less than 1% of browsers still use SSL3.0. TLS1.0 also has some security vulnerabilities, such as RC4 and BEAST attacks.

TLS1.2 and TLS1.1 do not have known security vulnerabilities for the time being. They are relatively secure and have a large number of extensions to improve the speed and performance. We recommend that you use them.

One thing to note is that TLS1.3 will be a very significant reform of the TLS protocol. Both security and user access speed will be substantially improved. However, there is no clear release time.

At the same time, HTTP2 has been finalized. The protocol evolved from the SPDY protocol is a significant change compared with HTTP1.1, which can significantly improve the data transmission efficiency at the application layer.

 

3. HTTPS features

Baidu uses HTTPS to protect user privacy and prevent traffic hijacking.

HTTP itself is transmitted in plain text without any security processing. For example, if a user searches for a keyword in Baidu, such as an "Apple mobile phone", the intermediary can fully view this information and may call to harass the user. Some users complained about using Baidu and found that there was a large advertisement on the homepage or result page, which must be the advertisement content inserted by the intermediary to the page. If the hijacking technology is poor, users cannot even access Baidu.

The intermediary mentioned here mainly refers to some network nodes, which are the nodes that must pass through the transmission of user data between the browser and Baidu server. Such as WIFI hotspots, routers, firewalls, reverse proxies, and cache servers.

In the HTTP protocol, the intermediary can sniff users' search content, steal privacy, or even tamper with webpages. However, HTTPS is the star of these hijacking actions and can completely and effectively defend against them.

In general, the HTTPS protocol provides three powerful functions to combat the above hijacking:

1. Content encryption. The content transmitted from the browser to the Baidu server is encrypted, and the intermediary cannot directly view the original content.

2. Identity Authentication. Baidu services are guaranteed to be accessed by users. Even if a third-party website is hijacked by DNS, the user will be reminded that the user has not accessed Baidu services and may be hijacked.

3. data integrity. Prevent content from being impersonate or tampered with by a third party.

So how does HTTPS achieve the above three points? The following describes the principles.

For more details, please continue to read the highlights on the next page:

1 2 3 Next Page