How Does Yottaa Optimizer Handle HTTPS (SSL) Traffic?
Yottaa Optimizer can securely optimize the performance of sites that use HTTPS. Our Optimizer activation wizard makes this easy, but hides some of the details. If you serve HTTPS traffic on a domain you wish to optimize with us, and want to understand exactly how it works, read on.
Sites that serve HTTPS traffic use SSL certificates signed by a trusted 3rd-party CA (Certificate Authority). This gives users confidence that they are connecting to the site they think they are. Using HTTPS also encrypts the HTTP traffic, keeping the contents of requests and responses secure from snooping and man-in-the-middle attacks. These benefits of using HTTPS posed some technical challenges for us in supporting HTTPS sites on Yottaa Optimizer. We needed to find a way to support all these goals:
- Maintain security (between end users and Yottaa, and between Yottaa and your origin server)
- Avoid requiring our customers to share their existing cert(s) or private keys with us
- Maintain a great end-user experience (by securing the same HTTPS domain before and after activating Yottaa Optimizer, with an SSL cert that properly identifies our customer's domain, with no browser warnings)
- Allow for self-service and easy setup
- Keep costs and complexity to a minimum
Given Yottaa Optimizer's role as a reverse proxy for your origin server where you host your site, we are effectively acting as a friendly "robot in the middle". For regular HTTP traffic, simply updating your DNS to point your traffic to us is all you need to do. But with HTTPS, in order for your end users to trust the connection that resolves to Yottaa, we need to host a separate, valid, CA-signed SSL Certificate on your behalf. We don't ask you to share your origin server's SSL Cert with us (though you do still need to maintain that to preserve connection integrity between Yottaa and your origin server). Rather, we create a new, separate SSL Cert that we manage on your behalf in our infrastructure. This way, encryption is maintained at every step along the way.
So, there is more than one SSL certificate involved?
Yep. On your origin server hosting HTTPS traffic, you will continue to maintain a valid, CA-signed SSL cert. This maintains encryption and connection integrity between Yottaa's data centers and your origin server. In addition, we add your domain name to a special multi-domain "SAN" certificate that we maintain in our data centers. This allows us to put multiple domain names on the same certificate. (Otherwise we'd need a unique IP address in every data center for every Yottaa HTTPS customer, which would be cost-prohibitive and a logistical nightmare.) By using this approach, we achieve all the goals outlined above.
As for the Yottaa Optimizer SSL cert provisioning process, it's really simple.
- When you sign up for Yottaa Optimizer, we detect that your domain uses HTTPS and show you a list of acceptable email addresses (e.g. firstname.lastname@example.org) to choose from, in order to prove you own the domain.
- Our cert provider sends a verification email to this address. Click the link in this email to grant us permission to serve SSL traffic on your behalf.
- Our cert provider then issues us a new SSL certificate that has your domain name on it, and we deploy the cert to our infrastructure. At this point the SSL cert provisioning is done, and you can make the simple DNS change to start directing your traffic through Yottaa.
The whole process is automated and takes just a few minutes.
As with other Yottaa technologies, there is a fair amount of complexity behind the scenes, but for you our customers it's easy, almost like magic.
Hopefully that helps illustrate how it all works.
Feedback and questions are always welcome!