Since Google’s Chrome browser announced in early February that it was “blocking” HTTP and labeling all HTTP sites as unsafe, more and more web users have been installing SSL certificates to upgrade the web transport protocol from HTTP to HTTPS. However, for the function, use and performance of HTTPS and SSL certificates, in fact, many users are not very clear, and even there are many misunderstandings in understanding.
Myth # 1: HTTPS makes web sites significantly slower
This is theoretically possible because HTTPS has more of an SSL handshake than HTTP. But this process typically takes only a few hundred milliseconds — 100 milliseconds is the equivalent of a tenth of a second — so it’s hard to detect a change in speed.
A typical example is that websites such as Baidu and Taobao implement HTTPS, but the access speed does not decrease. Sometimes, however, HTTPS is a little faster than HTTP, and this usually happens on a large company’s internal LAN. Typically, the company’s gateway intercepts and analyzes all network traffic. However, when it encounters an HTTPS connection, it can only pass it because HTTPS is encrypted and cannot be read. HTTPS is faster because of the lack of interpretation.
Myth: HTTPS dramatically increases hardware costs
Upgrading cpus and buying more servers for HTTPS is history. As hardware performance has improved by leaps and bounds, the computing pressure HTTPS imposes on hardware has become less and less, and with proper optimization and deployment, the increase in hardware costs is almost negligible.
Myth 3: Only sites that involve money
HTTPS There is a consensus that banking, e-commerce, and finance sites must have HTTPS enabled, but is it necessary for other types of sites?
The New York Times says HTTPS is necessary because it helps protect readers’ privacy and ensure authenticity. It says it will make all content on its website protected by HTTPS. Don’t forget that Chrome and Firefox have started warning non-HTTPS pages, and Google And Baidu both give HTTPS pages higher search weight. Therefore, HTTPS is essential for all types of websites, both from a security and development perspective.
Myth 4: You can deploy HTTPS on the login page
Deploy HTTPS on the login page to prevent password interception, but not on other pages. But this idea is dangerous, because if only the login page uses HTTPS, after the login, the rest of the page becomes HTTP. At this point, the page cache data is exposed.
That is, the cached data is set up in AN HTTPS environment but transferred in an HTTP environment. If someone hijacked the cached data, passwords could be stolen. For this reason, many sites are currently upgrading from single login page HTTPS to site-wide HTTPS.
Myth: SSL certificates are expensive
Since HTTPS is necessary, we will apply for one, but SSL certificate is charged, the price is not cheap. In fact, SSL certificate price in the network security products belong to more close to the people. In addition, in many SSL certificate providers, users can reduce the cost of using SSL certificates by using promotions offered by the service provider.
Myth 6: Foreign SSL certificates are better
SSL certificates of foreign brands start earlier, so in the performance of domestic SSL certificates for a long time, so that we form a foreign certificate is better to use the mindset.
But just last year, China’s financial certification center (CFCA) of domestic SSL certificate realized with Microsoft, Google and apple, firefox all browsers and operating system support, become the only in performance comparable to those of domestic foreign certificate certificate, at the same time in terms of speed of certificate application, given the certificate of abroad have more advantages, Make foreign certificate is no longer the only choice of domestic website.
Myth 7: SSL certificates can be applied for at will
The SSL certificate can be issued only after submitting authentic and reliable information (such as business license, organization code certificate, etc.). The reason for this is that the service provider needs to ensure that SSL certificates are used by legitimate organizations and prevent the certificate from being issued to illegal persons and exploited.
Myth: With HTTPS, websites are completely secure
This can be called “HTTPS omnipotence”, some enterprises also use HTTPS to advertise their website is secure enough. However, HTTPS uses SSL certificates to meet the security requirements of network transmission encryption and server authentication, namely, anti-theft, anti-tampering, and anti-phishing. Many website security problems can not be solved by a single SSL certificate.
But transmission encryption and authentication is the basis of website security, the foundation is not good, security is empty talk. So remember this – HTTPS is not a panacea for web security, but it is a panacea without HTTPS!
Original: http://server.51cto.com/Review-581019.htm