You must know the five common misconceptions about HTTPS

Nowadays, the https protocol is widely valued and used. In early February this year, Google's Chrome browser announced that all http websites would be marked as unsafe, and many websites rushed to upgrade from http to https. When you open many websites, you will find a green security lock in the upper left corner of the browser, which proves that the website has been protected by https encryption.

[[253644]]

The reason why https encryption protection is implemented is mainly because the website uses SSL certificate. Now many websites use SSL certificates to encrypt website data transmission, especially banks, finance, and e-commerce websites. However, many people have many misunderstandings about https, such as https will slow down website access, consume server resources, increase website costs, etc. In order to give everyone a clearer understanding of https, today we will talk about the cognitive misunderstandings after the website is upgraded to the https protocol.

Myth 1: https will slow down website access

As the number of Internet users increases, users may worry that https will slow down website access. Fortunately, although the website uses https protocol, there is an additional SSL certificate handshake verification link compared to http protocol, but this SSL certificate handshake link generally does not exceed 100 milliseconds, that is, less than 0.1 seconds. In most cases, https actually refers to http/2, which is a revised version of the standard http protocol. It aims to shorten page loading time by 50% by compressing data and reducing the processes involved. If https performance optimization is done well, https will not slow down the website's access speed.

Sometimes, https is faster than http, which is usually the case in large companies' internal LANs. Normally, the company's gateway intercepts and analyzes all network communications, but when it encounters an https connection, it can only let it go directly because https is encrypted and cannot be deciphered. Since this deciphering process is omitted, https is faster.

Myth 2: https will significantly increase hardware configuration costs

In order to implement https, the methods of upgrading CPU and purchasing more servers have become history. Some individuals or small and medium-sized websites may use virtual hosts. On such shared server space, if you want to install SSL certificates, you need server support. At present, most virtual hosts already support SSL configuration. With the rapid development of hardware performance, the computing pressure imposed by https on hardware has become smaller and smaller. Coupled with reasonable optimization and deployment, the increase in hardware costs can be almost ignored.

Myth 3: Only data-sensitive websites need HTTPS

People have reached a consensus that banks, e-commerce, finance and other websites must enable https, but is it necessary for other types of websites? We think it is necessary because https helps protect user privacy and ensure the authenticity of content. It means that all content on the website will be protected by https. Chrome and Firefox have begun to warn about non-https pages, and Google and Baidu both give https pages a higher search weight. Therefore, whether from the perspective of security or development, https is very necessary for all types of websites.

Myth 4: SSL certificates can be applied for at will

Some people think it is easy to apply for a free SSL certificate when they see it online. In fact, the easy-to-apply SSL certificates are cheap or free, and you cannot get a high-level SSL certificate just by paying for it. SSL certificates can be roughly divided into three types based on their credibility: domain name certificates (DV SSL), enterprise certificates (OV SSL), and enhanced certificates (EV SSL).

The free SSL certificates mentioned nowadays are all ***-level DV SSL certificates. For advanced EV SSL certificates, you need to submit authentic and reliable information (such as business license, organization code certificate, etc.), and it can only be issued after being manually reviewed and approved by the CA. Many companies fail in their applications because of incomplete or untrue information submitted.

Myth 5: With https, the website is 100% secure

This can be called the "https*** theory". Some companies also use https to promote their websites as being secure enough. But in fact, https uses SSL certificates to meet the two security requirements of network communication transmission encryption and server identity authentication, that is, anti-theft, anti-tampering, and anti-phishing. Other security requirements cannot be met. It is impossible to solve all the security problems of many websites with just one SSL certificate, but transmission encryption and identity authentication are the foundation of website security. If the foundation is not laid well, security is just empty talk. Therefore, for network security, https is not the best, but it is absolutely impossible without https. In an era of frequent network security incidents, deploying https is an irreversible trend.