ααα αααααααααΌααα½ααααα Alexa (αααααααααααΆα) ααΆααΆαα»ααααα·ααΆαααα HTTPS ααΆαα½αααΉαααααα (ααααααααα) αα·αααΆαα’αΆααααα (αααα) αααα»αα
αααααααααΆαααα ααααααααααΆαααααααα (ααΆαααΆααααααααααΆα
αα)
ααααααααααα ααΌαααααΆαααΆααααααΆαααα»ααααα·ααΆα HTTPS ααΆαααααΆαααΆαααααααΆα αα·αααΌααααΈαααα»αααααααα αΆαααΆα αααααα ααααααααααααααααΆαα½αα ααααα·αααΎ ααΆαα ααααΎαααααααααααααα·ααΈαα»αααααΆααα’αααααα αΆαααΆααααααΆααααα α αΎααα·αααααΆαα’αααααααααααααΆααααααΆαααα ααΆααα
ααα»ααααααΆααααααΆααααααΆααα "α
αΆαααα" αα
αααα»ααααΆαα’αΆααααααΆααα·ααααααααΆααΆααΆαααΆαααΆαααα ααΈααΆαααΆαααααα Alexa ααΆααααα αΆαααΆαα½αααααΆαα
αααΎαααα½αααααΌαααΆαααΆααααααααααααΆαααα
αααα»ααα·ααΈααΆα SSL / TLS ααΆααααααΆααΆααααααααα α¬ααΆαα’αΆαααααα αααααΆαα’ααααα·ααααααααΆααα·ααααΆ ααΆααααα»αααααΆααααααααα·ααΈαααααΆαααααΎα αααααΎαααααααΆααααα αΆααααΆαααααΆααα
ααααααααααΆαααααΆα
ααΆααα·ααααΆαααααααΎα‘αΎααααα’αααααααΆαααααΈααΆαααα·ααααΆααα Venice Ca' Foscari (ααααααα’ααΈααΆααΈ) αα·αααΆαααα·ααααΆααααα αα ααααα Vienna α αα½αααααΉααααα αΆααααΆαααΆααααααα’α·ααα αααα»αααααα·αα·α IEEE ααΎαααΈ 40 ααααΈααΈαα»ααααα·ααΆα αα·αα―αααααΆα αααααΉααααααααΉααααα αα ααααααΈ 20-22 ααα§αααΆ ααααΆα 2019 αα ααΆααα αααααΆαααααΈααααΌα
ααα ααααα HTTPS αααααΈααααα Alexa ααααΌα 10 αα·ααααΆαααΈααααααΆαααααααα ααα½α 000 ααααΌαααΆαααΆαααααα ααΆαααααααα ααΆααααααααααααΈααααααΆααααααααααααΌαααΆαααααΎααα ααΎαααΆαααΈα 90 αααααΊαααα αα 816% ααα ααα½αααα»αα
- 4818 ααΆααααααααααα MITM
- 733 ααΆααααααααα ααααααΆααα·ααααΈα TLS αααααα
- 912 ααΆααααααααα ααααααΆααα·ααααΈα TLS αααααααα
ααα αααααα ααα½α 898 ααΊααΎαα αα ααΆαααααα»αα ααααααΆααα½α α αΌα αααααΊαα½αααα’αα»ααααΆαα±ααα αΆαααααα αΌαααααααΈαααΆααααα α αΎαααα αααααα ααα½α 977 αααα»αααΆαα·ααΆααΈααααααααααΆαααΆαααΆαααΆααα·αααα’ αααα’αααααΆααααα αΆαα’αΆα ααααΎα’ααααααααααΆαα½αα
α’αααααααΆαααααΆαααΆααααααααααααααΆ αααα»αα ααααααααΆα 898 "αααααααΌαααΆααααααααααα½αααΆαααααα»α" ααΆαα αΆααααααΆαα’ααΈαααΊαα·α ααααΆααααα α·ααααααααα» αα·αααα ααααααααααααααααα ααα ααααα 660 αααα»αα αααα 898 ααΆαααααααααΈαααΆααααα ααΈαααΆαααΈααααααΆααααααααα αααααΊααΆααααααααααααααΆααα ααααα αααααΆαα’ααααα·αααα ααΆααααα»αααααΆααααααααα·ααΈαααααΆαααααΎααααααΎαααααααΆααααα αΆααααΆαααααΆααα
αααα αΆααααααααααααααΌαααΆαααααΎααααααα 10% ααααααααααΆαα’αα»ααααΆαααΆααααα αΆααΆαα½αααΉαααΆααααααΌαααααααΆααααααααααα»ααααα·ααΆα αααααααΆαααα αααααααΆαααα ααααΆαααΆααααααααΆαα ααα ααααα 412 α’αα»ααααΆαα±ααααααΆααα αΆαα cookies αα·αααΆααα½α αα session α αΎα 543 ααα αααααααααΌαααα½αααααΆαααΆααααα αΆαααΎ cookie integrity (ααΆαααα subdomains) .
αααα αΆααΊααΆαα αααα»αααα»ααααΆαααααΆαααααΈαααααα αααα»ααα·ααΈααΆααα·ααααααα·ααΈ SSL / TLS α POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE-2013-3587), αα·α Heartbleed (CVE-2014-0160)α ααΎααααΈααΆαααΆααααααΆααααΉααα½αααΆ ααΆαααααααα½αα ααα½αααααΌαααΆαααΆαααΆααα ααΎααααααααΆαααΈααα αα·ααααααα’αα·αα·αα ααΎααααΈαααααΆαααΆαααααΎαααααααααΆααααααααα αΆααα ααα»αααααααααΊααΆααΈαα·αα·ααΈααααα·ααααααΆααΏαααΌα ααΆα ααααα ααΈαααααααΆααααααααααααααΆαααααααααΉαααΆαααααΎαααΎαααΈαααα»αααΌααααααΆαα αα·ααα·ααΈααΆαααααΌααααΌααΆα ααααα·ααΆααααααΆααα ααΆαα·ααααααα αααΆααααΆαα»ααααααΆαα αα·ααα·ααΈααΆαααΆαα½αααααΌαααΆαα αΆαααα»αααΆ "ααΆααα»ααααα·ααΆααααααααααΆαα" αααααα
ααΆαααααααααααΆαααααΆα
αα·αααΆαααααΆααααΆααααΆααααααααααΆααααΌαααΆα αα·ααααααααααΎαααααΈααααΆαααααα HTTPS αααααΆαααααΆαααα ααΌα αααα αααααααΌααααααΎαααααΆαααααααα ααΆααααααααααΆα αααΎα α’αΆαααααααΎααααα·αααααΆαααΆαααΆααααααααΌαααΆαα α§ααΆα ααα ααΆαααααααααααΆααΆαααααααααααΆαααααΆααααααΆαααααΆαααΈααα nginx 1.14.0α
ααααααααΎα
α’αα·αα·αααααααΆααααα αΆααααΆαααα Firefox 27, Chrome 30, IE 11 αα ααΎ Windows 7, Edge, Opera 17, Safari 9, Android 5.0, αα·α Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}ααΆαααΆααααααααα
α’αα·αα·αααααααΆααααα αΆααααΆαααα Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}ααΆαααΆααααα αΆαα
α’αα·αα·αααααααΆααααα αΆααααΆαααα Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}ααΆααααΌαααΆαααααΆαααΆα’ααααααααααααΎαα»αα’αααααααααΆαααααααα αα·αααααα α»αααααααααα»ααααα OpenSSL α αα»α cipher αα αααα»αααΆαααααααααΆαααΈααα αααααΆααααΈα’αΆαα·ααΆαααααα½αααΆααΉαααααΌαααΆαααααΎ α’αΆαααααααΎααΆαααααααααΆαααΈααααααα
ααΆαααααΆαααααΆααααα αΆαααΆααΆαα·ααααααααααΆααααΎααααΈααα‘αΎααα·ααααΆαααααα HTTPS ααα "αααααααααααΎααα·ααααααααααααΌααΈααΌα αααααΎαααΆαααααΎαααα»αααααΆα 2005 α αΎα ' TLS αααααα' ααΆαααααΆαααΆααΏαααααααΆ ααΆαααα αΆαααΆααΏαααΆααΌαααααΆαααΆααααααα·ααααααααααΆααααΎααααΈααΆααΆααΆαααΌαα ααα½αααα αααΎααα½αα±ααααααΆααααα’αΎαααααα αααααααααα·ααααααΆαα" α’ααααα·ααααααααΆαααΆαα ααΎααααΈααΆαααΆαααα»αααα·ααααΆααααΆαααΈααα αα·ααααΆαααΈααααααααααααααααΆαααΏααΆαα α’αααααααΌααααα½ααα·αα·αααααααααα»αααααααααααΌαα αααααΆαα ααΆααααααααααΈαααααααααΆαααααα½αααααα’ααα αα·ααααΆαααΈαααΆααΈααΈααΈααΈααΆαα·ααΆααΆαα½ααααααΆααααα αααααααααΌαααΆαααααααααααα αααα ααααΆααΆααα ααα»αααααα»αααΆααααααΆαα·ααααααααααΈαααα»αα αα»αααΆααΈααΈααΈαα½αα ααα½ααααααΆαα―ααααααΆαααααα·αα»αααααααΆαα
ααααα: www.habr.com