Alibaba’s Full‑Site HTTPS Deployment for E‑Commerce: Challenges, Architecture, and Performance Optimizations

Implementing full‑site HTTPS for a massive e‑commerce platform like Alibaba requires substantial resources, both in manpower and technology, and presents strict technical demands.

While most online stores only secure login and transaction pages, Alibaba is the only global company that has deployed HTTPS across every page of its e‑commerce sites.

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) adds an SSL layer to HTTP, providing encryption that is essential for sensitive communications such as payments.

Deploying HTTPS site‑wide is far more complex than securing only critical flows; it involves millions of pages and extensive system complexity.

Key challenges identified include performance impacts from multiple handshakes and RSA verification, the need for all CDN nodes to support HTTPS and handle DDoS, and extensive compatibility work to convert every embedded resource, adapt mobile apps, and update all development and testing environments.

Alibaba addressed these issues by introducing a unified access layer with a control platform, which centralized certificate management and reduced configuration overhead.

Performance was maintained through techniques such as domain convergence to reduce connections, HSTS to eliminate HTTP‑to‑HTTPS redirects, session reuse, and certificate chain optimization.

Security and compatibility were ensured by adopting a dual‑certificate strategy (SHA‑1 and SHA‑256) using OV certificates that support single‑, multi‑, and wildcard domains, and by employing redundant certificate providers and SAN wildcard certificates.

During the 2015 “Double‑11” shopping festival, Alibaba’s systems handled peak transaction rates of 140,000 orders per second and 85,900 payments per second without degradation, demonstrating that full‑site HTTPS can coexist with high traffic volumes.

The wireless (mobile) side also underwent a TLS 1.3 overhaul, replacing RSA with ECDH key exchange to achieve near‑zero handshake latency and improve server performance.

A dedicated scheduling center now controls HTTPS traffic switching across versions, domains, and traffic ratios, allowing seamless, controllable transitions and rapid rollback if needed.

After the transformation, Alibaba’s e‑commerce ecosystem processes the world’s largest HTTPS traffic, covering hundreds of applications and over a million pages, underscoring the necessity of strong commitment and massive investment for such security initiatives.