Ib qho ntawm Alexa qhov chaw saum toj kawg nkaus (lub voj voog nruab nrab), ruaj ntseg los ntawm HTTPS, nrog subdomains (grey) thiab dependencies (dawb), ntawm cov uas muaj qhov tsis zoo (dashed shading)
Niaj hnub no, HTTPS ruaj ntseg kev twb kev txuas icon tau dhau los ua tus qauv thiab txawm tias tsim nyog tus cwj pwm ntawm txhua qhov chaw loj. Yog ploj lawm, yuav luag tag nrho cov browsers tsis ntev los no qhia ceeb toom tias thiab tsis pom zoo kom hloov cov ntaub ntawv tsis pub lwm tus paub rau nws.
Tab sis nws hloov tawm hais tias lub xub ntiag ntawm "lock" nyob rau hauv qhov chaw nyob bar tsis yog ib txwm lav kev tiv thaiv. los ntawm kev ntsuam xyuas, Alexa tau pom tias ntau ntawm lawv raug cuam tshuam rau qhov tsis zoo hauv SSL / TLS raws tu qauv, feem ntau yog los ntawm subdomains lossis dependencies. Raws li cov kws sau ntawv ntawm txoj kev tshawb no, qhov nyuaj ntawm cov ntawv thov web niaj hnub no ua rau muaj kev tawm tsam ntau heev.
Cov txiaj ntsig tshawb fawb
Txoj kev tshawb no tau ua los ntawm cov kws tshaj lij ntawm University of Venice Ca' Foscari (Ltalis) thiab Vienna Technical University. Lawv yuav nthuav tawm cov lus qhia ntxaws ntxaws ntawm 40th IEEE Symposium ntawm Kev Ruaj Ntseg thiab Kev Nyab Xeeb, uas yuav muaj lub Tsib Hlis 20-22, 2019 hauv San Francisco.
Sab saum toj 10 Alexa npe HTTPS qhov chaw thiab 000 tus tswv muaj feem cuam tshuam tau raug sim. Cov kev teeb tsa tsis zoo cryptographic tau kuaj pom ntawm 90 tus tswv, uas yog, kwv yees li 816% ntawm tag nrho:
- 4818 qhov yooj yim rau MITM
- 733 yog qhov yooj yim rau tag nrho TLS decryption
- 912 yog qhov yooj yim rau ib nrab TLS decryption
898 qhov chaw qhib tag nrho rau kev nyiag nkas, uas yog, lawv tso cai rau kev txhaj tshuaj ntawm cov ntawv sau ntxiv, thiab 977 qhov chaw thauj khoom los ntawm cov nplooj ntawv tiv thaiv tsis zoo uas tus neeg tawm tsam tuaj yeem cuam tshuam nrog.
Cov kws tshawb fawb tau hais tias ntawm 898 "kev cuam tshuam tag nrho" cov peev txheej yog cov khw hauv online, kev pabcuam nyiaj txiag thiab lwm qhov chaw loj. 660 tawm ntawm 898 qhov chaw rub tawm cov ntawv sau sab nraud los ntawm cov tswv tsis muaj zog: qhov no yog qhov tseem ceeb ntawm kev txaus ntshai. Raws li cov kws sau ntawv, qhov nyuaj ntawm kev siv lub vev xaib niaj hnub no ua rau muaj kev tawm tsam ntau heev.
Lwm yam teeb meem kuj tau pom: 10% ntawm daim ntawv tso cai muaj teeb meem nrog kev ruaj ntseg ntawm cov ntaub ntawv, uas hem kom xau passwords, 412 qhov chaw tso cai cuam tshuam cov ncuav qab zib thiab kev sib tham hijacking, thiab 543 qhov chaw raug tawm tsam ntawm cov ncuav qab zib ncaj ncees (los ntawm subdomains) .
Qhov teeb meem yog tias nyob rau hauv xyoo tas los no hauv SSL / TLS raws tu qauv thiab software : POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE-2013-3587), thiab Heartbleed (CVE-2014-0160). Txhawm rau tiv thaiv lawv, ntau qhov kev teeb tsa yuav tsum muaj nyob rau ntawm tus neeg rau zaub mov thiab cov neeg siv khoom kom tsis txhob siv cov qauv qub qub. Tab sis qhov no yog cov txheej txheem tsis tseem ceeb, vim hais tias cov kev teeb tsa no suav nrog kev xaiv los ntawm ntau txheej ciphers thiab cov txheej txheem, uas nyuaj rau nkag siab. Nws tsis yog ib txwm paub tseeb tias qhov twg cipher suites thiab cov txheej txheem raug suav tias yog "kev nyab xeeb txaus".
Pom zoo teeb tsa
Tsis muaj leej twg pom zoo thiab pom zoo raws li daim ntawv teev npe HTTPS pom zoo. Yog li ntawd, muaj ntau yam kev xaiv configuration, nyob ntawm seb yuav tsum muaj kev tiv thaiv qib. Piv txwv li, ntawm no yog cov chaw pom zoo rau nginx 1.14.0 server:
Niaj hnub nimno hom
Cov neeg laus tshaj plaws txhawb nqa: Firefox 27, Chrome 30, IE 11 ntawm Windows 7, Edge, Opera 17, Safari 9, Android 5.0, thiab Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Kev txhawb nqa nruab nrab
Cov neeg laus tshaj plaws txhawb nqa: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Kev txhawb qub
Cov neeg laus tshaj plaws txhawb nqa: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Nws raug pom zoo tias koj ib txwm siv tag nrho cov cipher suite thiab qhov tseeb version ntawm OpenSSL. Lub cipher suite nyob rau hauv qhov chaw server qhia qhov tseem ceeb uas lawv yuav raug siv, nyob ntawm tus neeg siv khoom.
Kev tshawb fawb qhia tias nws tsis txaus los tsuas yog nruab ib daim ntawv pov thawj HTTPS. "Thaum peb tsis tuav cov ncuav qab zib zoo li peb tau ua hauv xyoo 2005, thiab 'TLS' tau dhau los ua qhov qub, nws hloov tawm tias cov khoom siv no tsis txaus los ua kom muaj qhov xav tsis thoob ntawm qhov chaw nrov heev," cov kws sau ntawv ua haujlwm. Txhawm rau tiv thaiv cov channel ntawm cov neeg rau zaub mov thiab cov neeg siv khoom, koj yuav tsum ua tib zoo saib xyuas cov txheej txheem los ntawm koj tus kheej subdomains thiab lwm tus tswv tsev los ntawm cov ntsiab lus twg rau qhov chaw nkag. Tej zaum nws yuav ua rau muaj kev txiav txim siab los ntawm qee lub tuam txhab thib peb uas tshwj xeeb hauv kev ruaj ntseg cov ntaub ntawv.
Tau qhov twg los: www.hab.com