User:Eighty5cacao/misc/List of CDNs by HTTPS support

From Pin Eight
Jump to: navigation, search

A content delivery network (CDN) is a service that offers a large distributed network of web servers to increase a web site's availability and performance. This page describes support for HTTPS on several CDNs.

Notes about the terminology used on this page:

  • A "bucket" refers to an account with a CDN provider and its associated domain name(s) or other identifier(s). The term originates with Amazon S3, though the HTTPS Everywhere development team has adopted this term more generally.
  • "HTTP" refers specifically to the use of TCP port 80 for unencrypted HTTP, as opposed to the HTTP protocol in general, unless otherwise specified (such as in the term "HTTP header").

This list includes only "traditional" CDNs that host individual files of the webmaster's choice. It does not include services such as CloudFlare that proxy an entire website. Such services generally offer HTTPS only as a premium feature.

The list was based primarily on a cursory glance at some HTTPS Everywhere rulesets. It is not yet meant to be comprehensive.

Unless otherwise specified, all entries refer to "shared SSL," in which the domain names contain the name of the CDN provider. HTTPS support on custom domain names almost always requires a premium account.

HTTPS on same domain as HTTP

These generally allow HTTPS requests to be made to any bucket, at a slight additional cost per request to the account holder, without any special setup required.

HTTPS on different domain from HTTP

Some CDNs put HTTP and HTTPS on different domains, but the mapping from one to the other is predictable enough that an HTTPS Everywhere ruleset can be written. These also generally allow HTTPS requests to be made to any bucket. (CDNs that don't should be placed in the "HTTPS as premium service only" or "Investigation needed" sections as appropriate.)

  • Rackspace Cloud Files (an Akamai reseller[3])
  • SoftLayer (an EdgeCast reseller; *.http.cdn.softlayer.net*.https.cdn.softlayer.net)
  • (at least one other I'm probably forgetting)

HTTPS as premium service only

These may or may not allow HTTPS for any given bucket, depending on the pricing plan ordered by the account holder. Some domains may offer both HTTP and HTTPS; some may not offer HTTPS at all; etc.

  • CDNetworks (Pantherssl branded service offers HTTPS; the basic CDNetworks brand may not)
  • Internap (Internap brand has *.https.internapcdn.net for example; Voxel brand limits HTTPS to premium accounts despite using the same *.voxcdn.com domain hierarchy for all buckets)
  • Limelight Networks (HTTPS available on *.hs.llnwd.net but not on other domains such as *.vo.llnwd.net)

No HTTPS at all

Investigation needed

  • Akamai Technologies (Akamai branded service — resellers may differ; HTTPS probably not supported on buckets configured for streaming video[4])
    • a*.g.akamai.net can mostly (but not entirely?) be rewritten to a248.e.akamai.net
  • EdgeCast Networks (most domains offer HTTPS or at least have an HTTPS equivalent, but some that don't may exist[5]).

TODOs

  • Consider giving some advice that is actually useful to the target audience of the Portfolio hosting article
  • Consider linking to individual HTTPS Everywhere rulesets where available
  • MaxCDN offers "free shared SSL"; how are the domains and folders assigned? IIRC they are a NetDNA reseller; NetDNA itself offers HTTPS only as a premium feature
  • Highwinds offers free shared SSL with "no setup fee" (but does no setup fee mean no setup? The domain used for shared SSL doesn't seem to be the standard hwcdn.net)
  • Is Internap an EdgeCast reseller to any extent? See the CNAME chain for http.cdnlayer.com. (Answer: Yes. Or at least they used to be, as http.cdnlayer.com is dying or defunct. TODO: Fix this - it is probably more correct to say that SoftLayer used to be an Internap reseller but is now an EdgeCast reseller...)

Footnotes

  1. For the Amazon Web Services listed here, HTTPS support is enabled by default, but it can be disabled for specific buckets (in the sense that the response is HTTP 403).
  2. S3 is sometimes called a CDN, though by itself it is not strictly a CDN because one bucket's data can only exist in one geographical location at a time. A set of buckets is often used as origin points for a true CDN, and several HTTPS Everywhere rules rewrite requests from a CDN with unknown HTTPS support to S3. S3 bucket names MAY contain periods. It is NOT RECOMMENDED that website administrators use periods in S3 bucket names if they wish to fully support HTTPS on their site, since the certificate doesn't have enough wildcard depth to cover foo.bar.s3.amazonaws.com, and s3.amazonaws.com/foo.bar/ redirects to the former(cn) if the bucket is locked to one datacenter location. The redirect is a 301 with an XML body but no Location: header, so most browsers wouldn't know how to follow it anyway.
  3. http://www.rackspace.com/cloud/cloud_hosting_products/files/technology/?page=cdn
  4. This HTTPS Everywhere bug report gives an example of such a bucket.
  5. Detailed notes on the construction of EdgeCast URLs will be kept here.