In recent years, the Internet is undergoing tremendous changes, especially we have been accustomed to the HTTP protocol, is gradually being replaced by the HTTPS protocol, the joint efforts browsers, search engines, CA institutions, large Internet companies, ushered in the Internet "the whole network HTTPS encryption new era" at the corporate site is now fully turned on HTTPS mode, even personal blog, landing the Apple App Store App and applets micro letter, also have enabled site-wide HTTPS. HTTPS will replace HTTP transmission protocol into the mainstream in the next few years.
HTTP high security risk
Transmission characteristics of HTTP is transmitted in the clear, no data transmission through the HTTP protocol is unencrypted, anyone can transfer data to see. HTTP cleartext to the page hijacking, page tampering, data leakage, mu Black Horse implantation provides a convenient passenger behavior, so the risk of disclosure of user privacy is very high.
Several common larger middle harm contents hijack the following form:
1, to obtain the user's wireless phone number search and content advertising harassment by telephone and private users.
2, access to user accounts cookie, steal account useful information.
3, add third-party content in user purpose of the site content in return, such as advertising, phishing links, implants mu horses.
HTTPS encryption What?
HTTPS (HypertextTransfer Protocol Secure) Secure Hypertext Transfer Protocol, which was developed by Netscape and built into its browser, used for data encryption and decryption operations, and returns the results back to the Web uploads. Simply, it is a secure version of HTTP, namely HTTP layer added SSL encrypts the requested data in the SSL layer. HTTPS secure communication mode (HTTP + SSL / TLS), i.e. using TLS encrypted transmission all HTTP protocol.
HTTPS provides content encryption, authentication and data integrity features 3 large, the purpose is to encrypt data for secure data transmission. Specifically:
First, data confidentiality. To ensure that third parties will not be content to see during transmission.
Second, the data integrity. Timely detection of tampering by a third party to transfer content.
Third, the identity authentication. It was true identity authentication server to ensure that data arrives at the user's desired destination.
HTTPS 的信任继承基于预先安装在浏览器中的证书颁发机构,简称 CA。浏览器默认都会内置一些 CA 机构的根证书,只有可信任的 CA 机构颁发的证书,浏览器才会信任。
部署 HTTPS 的好处?
① 提高网站搜索排名:HTTPS的网站在搜索引擎中的排名表现更好。谷歌和百度都明确表示优先收录HTTPS 的网站。
② 符合PCI DSS合规:SSL是PCI合规性的关键组成部分
③ 提升网页加载速度:在 Velocity 的一次会议上,Load Impact 和 Mozilla 报告说,互联网用户可以通过 HTTP/2 优化比 HTTP/1.1 上的网站性能要好 50-70%。但是想用 HTTP/2 的性能优势,必须要先部署 HTTPS。
④ 符合国家信息安全等级保护:等保2.0对密码技术的使用提出了更高要求,通信传输应采用密码技术保证通信过程中敏感信息字段或整个报文的保密性,应开启HTTPS协议,并通过这些加密方式传输鉴别信息。
⑤ 符合iOS ATS 要求:苹果为了推广HTTPS,在 WWDC 2017 上也宣布新的 App 必须要开启 APS (App Transport Security)安全特性。
⑥ 更高的安全性:HTTPS网站可以防止用户隐私信息如用户名、密码、交易记录、居住信息等被窃取和纂改,最终保障网站数据传输安全。安装SSL证书后,浏览器内置安全机制,实时查验证书状态,通过浏览器向用户展示网站认证信息,从而让用户轻松验证网站真实身份,防止中间人劫持,识别欺诈、钓鱼等假冒网站。
⑦ 提高公司品牌形象和可信度:安装SSL证书的网站,浏览器会出现安全(或小锁图案),沒安裝SSL证书的网站会出现不安全的提示 。
如果部署的是EV SSL证书,还会显示绿色地址栏和单位名称,告诉用户其访问的是安全、可信的站点,可以大大提升企业的品牌形象和可信度。
使用HTTPS的顾虑
申请繁琐:很多人会觉得HTTPS实施有门槛,这个门槛在于需要权威CA颁发的SSL证书。从证书的选择、申请、购买到部署,比较耗时耗力。
HTTPS Performance consumption: compared with plain text communication, encrypted communication will consume more CPU and memory resources. If each communication encryption, will consume considerable resources, but it is not, the user can optimize performance, the certificate deployed in SLB or CDN, to solve this problem. After many pages optimized performance and HTTP unchanged and even slightly improved.
Operation and maintenance problems HTTPS: SSL certificate management takes time and effort. Insecure HTTPS site outside the chain appears, SSL vulnerabilities and certificate expired due to negligence such as operation and maintenance problems.
At present, such as 51SSL and other certificate management platform on the market can be a single independent from the online platform to manage the entire lifecycle of the certificate. SSL certificate covering all aspects of use, do one-stop applications, online payment, audit, issued, deployment, management;