Why Upgrading to HTTPS Is Essential and How Baidu Did It

Why Must Upgrade to HTTPS?

HTTP transmits data in clear text, allowing intermediate nodes (proxies, gateways, routers, Wi‑Fi hotspots, malicious plugins, etc.) to eavesdrop or tamper with traffic, leading to information leakage and malicious modification. It also lacks authentication, making DNS hijacking possible, and users cannot distinguish compromised connections, harming both users and service providers.

Real‑world incidents, such as a SaaS product whose PC side was hijacked three times in 2015, illustrate the business impact of HTTP attacks.

How to Counter HTTP Hijacking?

Many internet services have already adopted full‑site HTTPS, including finance, e‑commerce, and payment platforms. Notable milestones:

March 2015 – Baidu announced full‑site HTTPS.

May 2015 – Baidu Search began preferentially ranking HTTPS sites.

July 2015 – Alibaba’s Taobao and Tmall launched full‑site HTTPS.

June 2016 – Apple required all App Store apps to enable App Transport Security (ATS) by Jan 1 2017, blocking clear‑text HTTP resources.

Cloud platforms must provide reliable HTTPS capabilities for tenants to survive hostile network environments.

How Baidu Implemented Full‑Site HTTPS

When upgrading a large‑scale internet application to HTTPS, several challenges arise.

Challenge 1: Compatibility

Legacy browsers in China still use outdated SSL/TLS versions (SSL v2, SSL v3, TLS 1.0). Although these protocols have known vulnerabilities, a small percentage of users still rely on them.

Figure 1. PC browser market share in China (Jan–Jul 2016)

Figure 2. PC operating‑system market share in China (Jan–Jul 2016)

Solution: Large sites cannot simply drop support for these browsers because the traffic loss would be huge. Baidu adopts graceful degradation—downgrading to lower‑version TLS, supporting both SHA‑1 and SHA‑256, and using 302 redirects for users who truly cannot use HTTPS.

Challenge 2: Latency and Concurrency Reduction

HTTPS adds certificate verification and key exchange, increasing the number of round‑trips by 3–7× compared with plain HTTP, which can add 250–500 ms latency (up to 1200 ms for poorly optimized pages) and reduce concurrent request capacity.

Typical CPS drops from over 20 000 requests per second on HTTP to 2–3 000 on HTTPS without optimization.

Solution: Optimize at multiple layers:

Protocol layer – use TCP Fast Open, HSTS, session cache/ticket, OCSP stapling, False Start, SPDY/HTTP2 to reduce handshakes.

Application layer – pre‑connect before user interaction.

Cryptography – prefer ECC over RSA/DH for faster operations.

Backend – deploy SSL hardware‑acceleration clusters for SSL offloading.

Figure 3. Protocol‑layer optimizations

Figure 4. Architecture with SSL hardware‑acceleration cluster

Figure 5. Performance comparison with and without SSL hardware acceleration

Challenge 3: HTTPS‑Specific Attacks

To prevent protocol‑downgrade attacks, both servers and browsers implement SCSV. To mitigate renegotiation attacks, client‑initiated renegotiation is disabled, while server‑initiated renegotiation is allowed when necessary.

Challenge 4: All Front‑End Resources Must Support HTTPS

If the main domain uses HTTPS but embedded resources (JS, CSS, images) are still loaded over HTTP, browsers will warn users or block the page, defeating the security goal.

Solution: For large sites, enabling HTTPS on the web server and optimizing its HTTPS features may account for only 20‑40 % of the migration effort; making CDN, front‑end assets, templates, and service endpoints HTTPS‑compatible consumes the majority of time and resources.

Figure 6. Key points for front‑end HTTPS transformation

How Small Sites Can Get Baidu’s Free HTTPS Benefits

Baidu Open Cloud offers a zero‑cost certificate application and one‑click deployment, eliminating the need for source‑site modifications. Features include encrypted private‑key transmission, compatibility with existing HTTP handling, dynamic addition, and flexible SSL protocol version switching.

These capabilities are available across Baidu’s load balancer (BLB), CDN, BAE, Open Cloud IoT, BOS, and big‑data products, enabling users to secure their internet applications with minimal effort.