How to Use SSL/TLS with Node.js
Using HTTPS is becoming more and more prevalent, therefore we should know how to implement SSL/TLS in our Node.js applications – either for accessing HTTPS resources or for providing resources with encryption. What does HTTPS actually mean? What does it imply? Are there any constraints and restrictions? We will try to find an answer for all of these questions.
Additionally, we should not only try to protect our clients by providing HTTPS, but we should also demand encrypted connections from the servers we are talking to. We will see that possibilities exist to activate the SSL/TLS layer even if it wouldn’t be enabled by default. Let’s start with a short review of HTTPS’s current state.
On February the 17th 2015 the HTTP/2 protocol was approved by the IESG to be published as a proposed standard. This was a major milestone. Now we can all upgrade our servers to use HTTP/2. One of the most important aspects is the backwards compatibility with HTTP 1.1 and negotiation mechanism to choose a different protocol. Although the standard does not specify mandatory encryption, most browsers will only support HTTP/2 over TLS. This gives HTTPS another boost. Finally HTTPS everywhere!
What does our stack actually look like? From the perspective of a website running in the browser (application level) we have roughly the following layers to reach the IP level:
- Client Browser
HTTPS is nothing more than the HTTP protocol on top of SSL/TLS. Hence all the rules of HTTP still have to apply. What does this additional layer actually give us? There are multiple advantages. We get authentication by having keys and certificates. Also a certain kind of privacy and confidentiality is guaranteed, as the connection is encrypted in an asymmetric manner. Last but not least data integrity is also preserved, i.e. that transmitted data cannot be changed during transit.
One of the most common myths is that using SSL/TLS requires too many resources and slows down the server. This is certainly not true anymore. We also do not need any specialized hardware with cryptography units. Even for Google, the SSL/TLS layer accounts for less than 1% of the CPU load. Furthermore the network overhead of HTTPS as compared to HTTP is below 2%. All in all it would not make sense to forgo HTTPS for having a little bit of overhead.
Continue reading %How to Use SSL/TLS with Node.js%