How HTTPS-based CDN service works?

Please note that this article is my personal opinion only based on my recent study. I will verify it with more experienced CDN professionals. It is worthwhile to write it down because I hardly find any single web page with good coverage of the topic.

First of all I don’t think CDN is providing security service. That said, security is a must consideration for Internet service providers, including CDN. Core purpose of CDN is to speed up the delivery of content over Internet.

How to secure a web site? OWSAP TOP 10 Project is a great reference. (ISC)2 has recently teamed up with Security Compass to provide (ISC)2 members free CBT on each of OWASP’s Top 10 Web Application Security Risks. I highly recommend (ISC)2 members to spend 2hrs to watch them all and to get 2 CPEs:D

How to set up CDN works securely with a secure web site is the center of this article. If a web site is not secure, CDN does not help much besides availability improvement.

Some customers tell me they want to use CDN but cannot do so because their sites are (1)dynamically generated and/or (2)using HTTPS.

There are some misunderstandings about (1). NOT all components on a dynamically generated web page are generated dynamically on the fly. Most videos, graphics and scripts used in dynamically generated web pages in online banking and shopping sites etc. are static objects. These static objects are cacheable if their HTTP Cache-Control headers allow. Cacheable means CDN can be used to speed up their deliveries.

An example is the popular social networking site tumblr. The site is frequently updated with new photos & blogs posted by users. tumblr uses CDN to improve user experience. Scroll down you can see more photos displayed. Lighting fast, right?

Mark Nottingham’s Caching Tutorial is a good resource about Cache-Control header

About (2), how HTTPS works with CDN, let’s review how to use HTTPS. In essence, HTTPS is to run HTTP over SSL or TLS between endpoints (which usually are browser and web server). HTTPS mitigates man-in-the-middle attack by using SSL/TLS to encrypt data in-transit. Data at-rest is in originally format (likely unencrpted) at endpoints:

Diagram (a)

A single browser window can form multiple HTTPS connections concurrently to multiple servers and it is not necessary that all servers with the same Multi Domain/SAN or Wildcard certificate. Please also note that HTTPS does not imply authenticated access control! Let’s take my twitter page, which is open to public, as an example:
My twitter page URL:!/jiansuo
My twitter page photo URL:

For HTTPS-based CDN service, there are two common configurations:
Diagram (b)
browser——HTTPS’——CDN——HTTPS”——customer origin server(s)

Diagram (c)
browser*——HTTPS’——customer origin server(s)
browser*——HTTPS”——CDN——HTTPS”’——customer origin server(s)

*same browser window instant
HTTPS’, HTTPS” and HTTP”’ represent different independent HTTPS connections

CDN plays endpoint roles in HTTPS. In both configurations, objects in transit are encrypted. These objects can be cached/stored on CDN (as well as browser) with appropriate Cache-Control header settings. In general a CDN customer will set non-sensitive objects (likely static objects such as images and scripts) to be cacheable and sensitive objects (likely dynamic objects such html pages with user-specific information) to be non-cacheable. Customer can also choose to cache sensitive objects (e.g. confidential CAD/CAM design diagrams) on CDN and use other mechanism (e.g. token authentication, cookie, file encryption, etc.) to prevent unauthorized access.

In summary, HTTPS-based CDN service helps dynamic and SSL-protected web site by
– speeding up delivery of those cacheable objects
– preventing man-in-the-middle attack at the same security level offered by HTTPS

Comparing diagrams (a), (b) and (c), one may argue that we actually introduce a man-in-the-middle if using HTTPS-based CDN service. Yes, CDN always sits between users and web servers. How to mitigate potential risks introduced by CDN? Reputation, industry best practice and standard compliances help.

HTTPS protects data in-transit, not data at-rest.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s