HTTPS (full name: Hyper Text Transfer Protocol over securesocket layer), is a security-targeted HTTP channel, simply speaking is the security version of HTTP, that is, HTTP added SSL layer. The security foundation for HTTPS is SSL, so the details of encryption require SSL.
HTTPS has a default port that differs from HTTP and an encryption/authentication layer (between HTTP and TCP). This system provides an authentication and encryption method of communication. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments. Traditional HTTP mode, there are a large number of gray links, related information is easy to be stolen, but HTTPS is authenticated by the user and the server, the data is sent to the client and the server, and encrypted way to prevent the data in the middle of the theft, greatly reducing the third party to steal information, tamper with the risk of impersonating identity.
issues with HTTPS access
There is usually something to lose, HTTPS, while increasing the security of the site, but also increase the time users visit the site and the performance of the server consumption. Let's look at some of the problems that HTTPS faces.
- HTTPS multiple handshake, will reduce the user access speed to some extent
- After the site has switched to HTTPS, the way HTTP jumps to HTTPS increases user access time (most sites use 301, 302 jumps)
- HTTPS involves a security algorithm that consumes CPU resources and requires a large number of machines to be added (HTTPS access processes need to be decrypted)
- SSL certificate costs are high, and its deployment on the server, update maintenance is very cumbersome
And Pat the cloud has been continuously optimized for HTTPS performance, committed to HTTPS to achieve faster data transfer performance. and Pat the cloud. HTTPS optimization has supported the following features: Http/2+server Push, TLS 1.3+ minimum TLS versioning, HSTS, chacha20-poly1305, TLS Record Size, OCSP stapling, etc. These features greatly increase the speed of HTTPS transmission and the user's access experience.
continuous optimization to make HTTPS faster and more secure
In order to enable HTTPS to achieve faster data transmission performance, and in the transmission process more secure, and take the cloud to spare no effort to optimize it. Here's a look at what these new features actually bring to HTTPS.
Http/2+server Push
HTTP/2 is the Hypertext Transfer Protocol 2.0, which is the next generation HTTP protocol. It was developed by the hypertext Transfer Protocol Bis (httpbis) Working Group of the Internet Engineering Task Force (IETF), SPDY as a prototype, and finalized after more than two years of discussion and refinement.
HTTP/2 advantages are as follows:
- HTTP/2 transmits data in binary format, which brings more advantages and possibilities in protocol parsing and optimization expansion.
- HTTP/2 uses HPACK to compress the message header, which can save the traffic of the network that the message header occupies.
- Multiplexing, simply stated, is that all requests can be completed concurrently through a TCP connection.
- Server push: The service side can push resources to the client faster.
Among them, Server push is a new technology introduced in the HTTP/2 specification, that is, the service side can "push" some website resources to the client (browser) without the client's explicit inquiry, which greatly improves the effect of page access.
Pat Cloud CDN currently has full platform support HTTP/2 and is turned on by default. Because HTTP/2 is implemented on the basis of the HTTPS protocol, look at the history , so as long as the use of the Cloud HTTPS acceleration service domain name, can enjoy free HTTP/2 service, no need to do any special configuration.
Server Push Open Path: Login to CDN console, enter: Service Management > Feature configuration > HTTPS > HTTP/2, click "Manage" button to start configuration. Configuration, where "match path" is required, "push resource" is not required.
TLS 1.3+ minimum TLS version control
TLS 1.3 is the latest, fastest, and most secure version of the TLS protocol, and adds a number of new features compared to the previous version of the TLS protocol. By simplifying the SSL handshake, the connection speed is increased and latency is reduced. It also improves the performance, efficiency and security of user access by removing the encryption algorithm with security vulnerabilities.
TLS 1.2 Handshake process
TLS 1.3 Handshake Process TLS 1.3 handshake process
, the TLS1.2 protocol requires encryption suite negotiation, key information exchange, CHANGECIPHERSPEC protocol notification and other processes, the need to consume 2-rtt handshake time, to detect whether the site is hijacked , which is one of the important reasons for the slow HTTPS protocol, and in In TLS 1.3, the client not only sends a list of ClientHello-supported passwords, but also guesses which key negotiation algorithm the server will choose and sends a key share so that the first handshake requires only 1-RTT, which increases speed. In addition, TLS 1.3 has the following new features:
- Abolition of RSA that does not support forward security and the DH key exchange algorithm with cve-2016-0701 vulnerability;
- MAC uses only the aead algorithm;
- Disable unsafe algorithms such as RC4/SHA1;
- encrypted handshake message;
- Reduce round-trip delay RTT, support 0-rtt;
- Compatible with intermediate device TLS 1.2;
- The cryptographic handshake message.
In addition, with the upgrade of Encryption Standard, TLS 1/1.1 will be gradually disabled by the whole industry. is currently in the interim of TLS 1.2 to replace TLS 1/1.1, 2018 will be more and more Internet security enterprises to enable TLS 1.2. Pat Cloud CDN Service can flexibly configure the minimum TLS protocol version used by the website to improve the security of the website. The higher the protocol level you choose, the more secure it is, but the fewer browsers you can support, the more likely it will affect end-user access, and carefully select the configuration.
TLS 1.3 and minimum TLS versions open path: cdn→ feature configuration →https→tls1.3/minimum TLS version
HSTS
HSTS (HTTP Strict Transport Security) technology, when enabled, will ensure that the browser is always connected to the HTTPS encrypted version of the site, do not require users to manually enter the address of HTTPS in the URL address bar. HSTS's opening reduces user latency by 301/302, effectively protecting the website and user's data security.
HSTS Open path: Landing and Pat Cloud CDN Console, enter: Service > Feature configuration > HTTPS > HSTS, click Manage to start the configuration.
Chacha20-poly1305--https Mobile-symmetric encryption Kit
Chacha20-poly1305 is a new streaming encryption algorithm specifically designed for mobile CPU optimization, with a 3 times-fold improvement in performance compared to a common algorithm, especially on ARM platforms where the CPU is a thin instruction set (arm V8 before the effect is more pronounced). Where CHACHA20 refers to symmetric encryption algorithm, Poly1305 refers to the identity authentication algorithm. chacha20-poly1305 algorithm is streamlined, has strong security, strong compatibility and so on, can reduce the amount of data generated by encryption and decryption can improve user experience, reduce waiting time, save battery life and so on.
Pat Cloud CDN has fully supported Google's launch of the mobile-optimized encryption Suite--chacha20-poly1305. All users can enjoy the algorithm plus decryption performance, page load time reduced, battery life and other advantages. Pat Cloud CDN has already supported chacha20-poly1305 by default, and this algorithm is preferred as a symmetric encryption algorithm for terminals that do not support Aes-ni.
Intimate Benefits, free SSL certificate + autonomic configuration
As for the above mentioned in the SSL certificate is expensive and the purchase, configuration trouble, and the cloud has also helped you to think of a good solution. Pat Cloud co-Symantec, GeoTrust, Trustasia, let's Encrypt launch paid and free SSL certificate application and management one-stop service, no complicated process, one-click Application, autonomous deployment, easy to implement the website and Web application of HTTPS encryption deployment.
Finally, you can see, and pat the cloud in the optimization of HTTPS access, pay a hard effort to achieve a variety of optimization functions, so that users more comfortable, comfortable, to bring users a better experience. If your website has not turned on HTTPS, do not hesitate to deploy to catch up with the whole network encryption era. Article turned from:https://zhuanlan.zhihu.com/p/42763471
Not HTTPS slow website speed, but optimization did not good enough