Practical Tips for HTTPS Deployment on Large Websites

1. Introduction to HTTPS

HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel with security as its goal. In short, it is a secure version of HTTP. The data transmitted by the HTTP protocol is unencrypted plain text, so it is very unsafe to use the HTTP protocol to transmit private information. In order to ensure that private data can be transmitted encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt data transmitted by the HTTP protocol, thus giving birth to HTTPS. The current version of SSL is 3.0, which is defined by IETF (Internet Engineering Task Force) in RFC 6101. Later, IETF upgraded SSL 3.0, and TLS (Transport Layer Security) 1.0 appeared, defined in RFC 2246. In fact, our current HTTPS all uses the TLS protocol, but because SSL appeared earlier and is still supported by current browsers, SSL is still synonymous with HTTPS, but both TLS and SSL are things of the last century. The last version of SSL is 3.0. In the future, TLS will inherit the excellent pedigree of SSL and continue to provide encryption services for us. The current version of TLS is 1.2, defined in RFC 5246, which is not yet widely used.

[[197937]]

However, after the website uses HTTPS encryption, some friends suggested that the username and password can be viewed using F12, for example:

This is because HTTPS (SSL) encryption occurs between the application layer and the transport layer, so the data seen at the transport layer is encrypted, and the http post we captured is the data at the application layer, which has not been encrypted at this time. Only the client and the server can get the plain text of the encrypted data, and the communication process from the client to the server is safe. Even if the data is captured during the transmission process, it is difficult to crack because it is encrypted data, thus protecting the security of the data during the transmission process.

In fact, in addition to HTTPS encryption, there is also control encryption. Users need to download security controls before they can enter their passwords. This is often encountered in banking systems and Alipay pages:

The plain text password of http post at the application layer can be solved by encryption control.

2. How HTTPS works

HTTPS consists of two parts: HTTP + SSL / TLS, which means that a layer of module for processing encrypted information is added to HTTP. Information transmission between the server and the client will be encrypted through SSL/TLS, so the transmitted data is encrypted data. See the figure below for how encryption, decryption and verification are performed:

1. The client initiates an HTTPS request

First, the client initiates an HTTPS request to the server and sends a set of encryption rules supported by the browser to the server.

2. Server certificate configuration

The server side using the HTTPS protocol needs a set of digital certificates, which can be made by yourself or applied for from an organization. The difference is that the self-issued certificate needs to be verified by the client before it can continue to be accessed, while the certificate applied for by a trusted company generally does not pop up a prompt page. This set of certificates is actually a pair of public and private keys. In general, you can quickly apply for a free SSL certificate and try to avoid producing your own certificates.

After receiving the HTTPS request from the client, the server will select an encryption algorithm and a HASH algorithm and return it to the client in the form of a certificate. The certificate also contains information such as the public key, issuing authority, website, expiration date, etc.

3. Transmit certificate

The server sends the certificate information to the client.

4. Client parses certificate

This part of the work is done by the client's TLS. First, it verifies whether the public key is valid, such as the issuing authority, expiration time, etc. If an abnormality is found, a warning box will pop up to indicate that there is a problem with the certificate. If there is no problem with the certificate, a random value will be generated. Then the random value is encrypted with the certificate. Generally, after the certificate verification is passed, a small lock will be added to the browser's address bar.

5. Sending Encrypted Information

This part transmits a random value encrypted by the client using the certificate. The purpose is to allow the server to obtain this random value. In the future, the communication between the client and the server can be encrypted and decrypted through this random value.

6. Server decryption information

After the server uses the private key to decrypt, it obtains the random value (private key) sent by the client, and then uses the value to symmetrically encrypt the content. Symmetric encryption is to mix the information and the private key together through a certain algorithm, so that unless you know the private key, you cannot get the content. It happens that both the client and the server know the private key, so as long as the encryption algorithm is complex enough and the private key is complex enough, the data will be secure enough.

7. Transmitting Encrypted Information

This part of information is encrypted by the server with a private key and can be restored on the client.

8. Client decrypts information

The client uses the previously generated private key to decrypt the information sent by the server and obtains the decrypted content. Because this string of keys is only known by the client and the server, even if the request is intercepted in the middle and the data is captured, the data cannot be decrypted, thus ensuring the security of communication.

3. SSL Certificate Selection Guide

• SL certificates need to be applied for from an internationally recognized certificate authority (CA for short). There are three types of certificates issued by CA:
• Domain Name SSL Certificate (DV SSL): The trust level is normal. You only need to verify the authenticity of the website before issuing a certificate to protect the website.
• Enterprise SSL Certificate (OV SSL): has a strong trust level, requires verification of the company's identity, has strict review, and is more secure.

Enhanced SSL Certificate (EV SSL): It has the highest trust level and is generally used by financial institutions such as banks and securities. It has strict review and the highest security. It can also activate the green URL bar.

In addition, you can also automatically generate self-signed certificates. Self-signed certificates are generally not verified by browsers, so they rarely appear in production environments and are generally used in internal testing environments.

Generally speaking, different certificates have different certification levels, display icons, domain name support, prices, and insurance premiums:

I won't make too many recommendations on the choice of SSL certificate manufacturers here. The general principle is that the larger the manufacturer, the more reliable it is. You must investigate in advance whether the selected manufacturer is trusted. For example, the previous WoSign incident caused many companies to contact WoSign to replace the new certificate before the browser continued to trust it.

4. Deploy website HTTPS

How to implement HTTPS access after purchasing the certificate to the website?

First of all, when purchasing a certificate, the certificate manufacturer will provide detailed certificate deployment guides in its help documents. Generally speaking, you can deploy it step by step according to the help documents.

Generally, there are many deployment methods, such as Apache, IIS, Nginx, Tomcat, etc. Here we take Nginx as an example for a brief introduction.

The first step is to apply for and download the certificate. The author's own website is officially applied for through the free SSL official application service provided by Tencent Cloud:

After downloading:

Create an sslkey folder under conf in the Nginx deployment directory, and upload the two files 1_www.fineops.com_bundle.crt and 2_www.fineops.com.key under the downloaded Nginx file to sslkey. Modify the nginx.conf file and follow the Tencent Cloud help document.

It should be noted that after the certificate is deployed, you need to set some http to automatically jump to https, which is generally not included in the help documentation. You can use the following methods:

• Rewrite method: rewrite ^(.*)$ https://$host$1 permanent;
• nginx's 497 status code: error_page 497 https://$host$uri?$args;
• Refresh the meta of the home page:
• <meta http-equiv=”refresh” content=”0;url=https://test.com/”> (not practiced)

We use the proxy_redirect method here and configure it in nginx: proxy_redirect http://www.fineops.com:443/ https://www.fineops.com/; to automatically jump to https.

V. Conclusion

Converting HTTP to HTTPS is a trend, and the technology is relatively mature. However, after using HTTPS, since there are several more handshakes and encryption and decryption processes than HTTP, the performance of the website will be reduced to a certain extent. In addition, the server where the certificate is deployed must upgrade openssl and increase the TSL version to avoid man-in-the-middle attacks.

In the process of converting HTTP to HTTPS, pay attention to the testing of page jumps, third-party interfaces, static resource CDN, etc. after converting to HTTPS to ensure that there are no problems with jumps and loading.