ʻO kekahi o nā pūnaewele kiʻekiʻe o Alexa (poʻe waena), i hoʻopaʻa ʻia e HTTPS, me nā subdomains (hina) a me nā hilinaʻi (keʻokeʻo), aia kekahi mau mea palupalu (dashed shading)
I kēia mau lā, ua lilo ka HTTPS secure connection icon i mea maʻamau a i mea pono hoʻi o kekahi pūnaewele koʻikoʻi. Ina
Akā ʻike ʻia ʻo ka hele ʻana o kahi "loka" i ka pahu helu ʻaʻole e hōʻoia mau i ka palekana.
Nā hopena noiʻi
Ua mālama ʻia ke aʻo ʻana e nā poʻe loea mai ke Kulanui o Venice Ca 'Foscari (Italia) a me ke Kulanui ʻenehana ʻo Vienna. E hōʻike lākou i kahi hōʻike kikoʻī ma ka 40th IEEE Symposium on Security and Privacy, e mālama ʻia ma Mei 20-22, 2019 ma Kapalakiko.
Ua hoʻāʻo ʻia ka papa inoa ʻo 10 Alexa papa inoa HTTPS pūnaewele a me 000 mau pūʻali pili. Ua ʻike ʻia nā hoʻonohonoho cryptographic vulnerable ma 90 hosts, ʻo ia hoʻi, ma kahi o 816% o ka huina:
- 4818 pilikia i ka MITM
- Pilikia ka 733 i ka decryption TLS piha
- Pilikia ka 912 i ka wehe ʻana o ka TLS hapa
Ua wehe loa ʻia nā pūnaewele 898 i ka hacking, ʻo ia hoʻi, ʻae lākou i ka hoʻokomo ʻana i nā palapala ʻokoʻa, a hoʻouka nā pūnaewele 977 i nā ʻike mai nā ʻaoʻao i pale ʻole ʻia e hiki ai i ka mea hoʻouka ke launa pū me.
Hoʻomaopopo ka poʻe noiʻi ma waena o nā kumuwaiwai 898 "hoʻopau piha ʻia" nā hale kūʻai pūnaewele, nā lawelawe kālā a me nā pūnaewele nui ʻē aʻe. 660 mai loko mai o 898 mau pūnaewele e hoʻoiho i nā palapala waho mai nā pūʻali pilikia: ʻo ia ke kumu nui o ka pōʻino. Wahi a nā mea kākau, ʻo ka paʻakikī o nā noi pūnaewele hou e hoʻonui nui i ka ʻili hoʻouka.
Ua loaʻa pū kekahi mau pilikia ʻē aʻe: 10% o nā palapala ʻae i loaʻa nā pilikia me ka hoʻouna paʻa ʻana o ka ʻike, e hoʻoweliweli ana i ka leak password, 412 mau pūnaewele e ʻae i ka interception o nā kuki a me ka hoʻopaʻa ʻana i nā manawa, a me nā pūnaewele 543 e hoʻouka ʻia i ka kūpaʻa kuki (ma o nā subdomains) .
ʻO ka pilikia i nā makahiki i hala iho nei i nā protocols SSL / TLS a me nā polokalamu
Hoʻonohonoho hoʻonohonoho
ʻAʻohe mea i ʻae ʻia a ʻae ʻia ma ka papa inoa o nā hoʻonohonoho HTTPS i manaʻo ʻia. No laila,
ʻAno hou
Nā mea kūʻai aku i kākoʻo ʻia: Firefox 27, Chrome 30, IE 11 ma Windows 7, Edge, Opera 17, Safari 9, Android 5.0, a me Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Kākoʻo waena
Nā mea kūʻai aku i kākoʻo ʻia: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Kākoʻo kahiko
Nā mea kūʻai aku i kākoʻo ʻia: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Manaʻo ʻia ʻoe e hoʻohana mau i ka suite cipher piha a me ka mana hou o OpenSSL. Hōʻike ka cipher suite i nā hoʻonohonoho kikowaena i ka mea nui e hoʻohana ʻia ai lākou, ma muli o nā hoʻonohonoho o ka mea kūʻai aku.
Hōʻike ka noiʻi ʻaʻole lawa ka hoʻokomo wale ʻana i kahi palapala HTTPS. "ʻOiai ʻaʻole mākou e mālama i nā kuki e like me kā mākou i hana ai i ka makahiki 2005, a ua lilo ka 'TLS maikaʻi' i mea maʻamau, ua ʻike ʻia ʻaʻole lawa kēia mau mea kumu no ka hoʻopaʻa ʻana i kahi helu kupanaha o nā pūnaewele kaulana loa,"
Source: www.habr.com