Realize the correct posture of the whole site https based on Alibaba Cloud (1)

Realize the correct posture of the whole site https based on Alibaba Cloud (1)

Some important Internet resource references:


It is strongly recommended to read through Jerry Qu's blog about https, http/2, nginx, which is the most comprehensive and thorough article on the above-mentioned knowledge points among the domestic technical articles I have found so far.

Portal: imququ.com/

Why do we need to implement full site https?


At present, the websites and services of major major manufacturers have implemented full-site https, such as: baidu, taobao, jd, etc.
Regarding the benefits and advantages of this aspect, too many articles on the Internet are introducing. For example: Why should we upgrade to HTTPS?
For general entrepreneurial companies, there is an urgent need to implement full-site https reasons:

  1. Apple requires all iOS apps to use HTTPS connections by default before the end of the year
  2. The development of WeChat applet requires https communication
  3. HTTP/2 support

HTTP2.0 can actually support non-HTTPS, but now the mainstream browser chrome and firefox still only support the HTTP2.0 protocol deployed based on TLS, so if you want to upgrade to HTTP2.0, it is better to upgrade HTTPS first.

Preparations before the upgrade.


SSL certificate type?

  • DV (Domain Validation): For individual users, the security system is relatively weak. The verification method is to send an email to the mailbox in the whois information, and verify it according to the content of the email.
  • OV (Organization Validation): For enterprise users, the certificate is based on the DV certificate verification, and the company's authorization is also required. The CA confirms by dialing the company's phone number in the information database.
  • EV (Extended Validation): In the URL address bar of the browser, the information of the registered company is displayed, which will give users greater trust. In addition to the above two confirmations, the company also needs to provide the financial institution s The account opening permit is very strict.

It should be emphasized that the encryption effect is the same whether it is a DV, OV or EV certificate!

Important difference:

  1. The review speed of DV certificate is faster, and the review is completed by the program. Generally, the issuance of the certificate can be completed immediately after application; the review of OV and EV certificates is slow and manual review, which usually takes several days.
  2. The EV certificate will display the company's information in the browser, usually called the green address bar, to increase the user's sense of trust. Refer to the display method of the chrome browser when visiting github as follows:
  3. The EV certificate does not support a single generic domain name ( .example.com) or multiple generic domain names ( .example1.com, *.example2.com) , while OV and DV certificates do.

How to choose?
Under normal circumstances, it is difficult to define how many subsystems an Internet company has in the early stage. Therefore, if it is impossible to clearly plan how many subsystems there will be in the future, how many second-level domain names need to be used , It is best to buy a certificate that supports single or multiple pan-domain names. As for whether it is DV or OV, I personally think it is not that important.

Some experience summaries:
HTTP resources loaded in HTTPS web pages are called Mixed Content . Different browsers have different strategies to block http resources, so it is best to sort out the internal http resources and external http resources that your program depends on in advance. (Statistical resources [GA, CNZZ, Baidu Statistics], third-party sharing, third-party map services, etc.). Especially for external http resources, it is necessary to evaluate whether https services are provided.

Where can I get an https certificate?

Free resources:

  • Let's Encrypt : A very common certificate currently used by personal sites.
    Features/Restrictions:
    • If you are using CDN or load balancing services of cloud service providers (such as Alibaba Cloud CDN or SLB), Let's
      Encrypt is not suitable. Alibaba Cloud s CDN or SLB requires the public key and private key of the certificate to be uploaded on the cloud platform. The key, and Let's Encrypt is forced to expire in 90 days. Although we can renew the certificate in an automated way, I have not yet found a better solution.
    • Only a single domain name is supported.

Strongly not recommended :

  1. StartSSL.com : See the following description on the official website for details:

  2. Wosign ( ) : Talk about the messy things
    about "WoSign/WoSign"

    The wosign-issue Sina report released by Mozilla

PS:

  1. Alibaba Cloud was able to purchase wosign certificates for a while, and it is now offline.
  2. wosign's SEO is doing well, searching for SSL certificates , google and baidu are both on the first page, causing many people who don't know the truth to be fooled.

Paid resources:

  • Alibaba Cloud : Provides three certificates issued by Symantec, GeoTrust, and CFCA.

PS: I haven't used anything else, so I don't recommend it.

What did I choose in the end?

GeoTrust DV SSL on Alibaba Cloud: It is cheap, supports pan-domain names, is issued quickly (within 30 minutes), and the most important thing is the unified use of Alibaba Cloud for management.

For follow-up content, please continue to refer to the next article