29

I have a website with only home page available through simple HTTP protocol. All other pages are accessible only through HTTP over SSL(https://).

I'm using CDN for home page and very happy with it.

But for me it looks like using CDN for https pages is impossible because of security warnings, especially in IE. My files hosted at CDN are accessible though simple HTTP protocol.

What should I do? How this problem can be solved?

John Topley
  • 113,588
  • 46
  • 195
  • 237
BinaryButterfly
  • 18,137
  • 13
  • 50
  • 91

3 Answers3

17

You need to get a CDN that supports serving files over HTTPS, then use that CDN for the SSL requests.

Jon Benedicto
  • 10,492
  • 3
  • 28
  • 30
  • @JacquesBosch Well, that doesn't mean you can't use it. And I really doubt how many people do care about it. – laike9m Oct 15 '15 at 16:02
  • @laike9m, anybody is of course free to use any method they find has the right balance of convenience, value and risk for their scenario. – Jacques Bosch Oct 15 '15 at 19:39
  • @JacquesBosch That blog misses something, *"The user thinks they’re only telling you their secrets, but they’re also telling FooCo their secrets. And that’s not cool."*. The user isn't telling anything to FooCo, [because the browser can't send anything to FooCo](https://en.wikipedia.org/wiki/Same-origin_policy). Also, FooCo serving malicious js is detectable. – Ian Boyd Feb 08 '16 at 15:45
5

You can do this if their boxes have HTTPS support. What you can't do is use a subdomain of your own domain to cname against the cdn network. Because SSL doesn't work this way.

so https://cdn.tld/mydomain/path/to/file as a mechanism does work (because browsers will verify the cdn.tld ssl certificate correctly)

but https://cdn.mydomain.tld/path/to/file will not.

SjH
  • 99
  • 1
  • 1
  • 2
    Unless the CDN agrees to host your domain's SSL certificate on their servers serving your content. – talonx Apr 11 '11 at 07:08
  • 11
    Think of it the other way around. Are you ready to let a CDN host the private key to your SSL certificate? – zarkdav May 25 '12 at 14:28
  • @zarkdav There should be minimal trust no? Are you ready to let Amazon to host your ssl and secrets? – Joel Blum Apr 09 '18 at 14:48
3

Two options, but in general I'd redirect all pages that don't need to be SSL'ed to their non-SSL equivalent and only use SSL when necessary.

  1. Get a SSL certificate for your CDN host. It's just 30 bucks/year, but you need to take into account that this requires more configuration and depending on the traffic, this is also more expensive because the server requires more resources for SSL'd connections.

  2. For the relevant pages, store the CSS/images/js files "local" on your own SSL host and use them when you need SSL. Of course you loose the speed etc. from the CDN, but that's a trade off. We opted for this because just our signup is SSL, 99.9999% of the time users spend on our website is on non-SSL links.

Till
  • 22,236
  • 4
  • 59
  • 89