Imodzi mwamasamba apamwamba a Alexa (chapakati bwalo), otetezedwa ndi HTTPS, okhala ndi ma subdomains (imvi) ndi zodalira (zoyera), pakati pawo pali omwe ali pachiwopsezo (shading shading)
Masiku ano, chizindikiro cholumikizira chotetezedwa cha HTTPS chakhala chokhazikika komanso chofunikira pa tsamba lililonse lalikulu. Ngati akusowa, pafupifupi asakatuli onse posachedwapa amasonyeza chenjezo kuti ndipo musalimbikitse kusamutsa zinsinsi kwa izo.
Koma zikuwoneka kuti kukhalapo kwa "lock" mu bar ya adilesi sikutsimikizira chitetezo nthawi zonse. kuchokera pamlingo, Alexa adawonetsa kuti ambiri aiwo ali pachiwopsezo chachikulu mu protocol ya SSL / TLS, nthawi zambiri kudzera m'ma subdomains kapena kudalira. Malingana ndi olemba a phunziroli, zovuta za mapulogalamu amakono a intaneti amawonjezera kwambiri kuukira.
Zotsatira za kafukufuku
Kafukufukuyu adachitidwa ndi akatswiri ochokera ku yunivesite ya Venice Ca' Foscari (Italy) ndi Vienna Technical University. Apereka lipoti latsatanetsatane ku 40th IEEE Symposium on Security and Privacy, yomwe idzachitika Meyi 20-22, 2019 ku San Francisco.
Masamba apamwamba 10 a Alexa a HTTPS ndi 000 ogwirizana nawo adayesedwa. Masanjidwe osatetezeka a cryptographic adapezeka pa makamu a 90, ndiye kuti, pafupifupi 816% ya onse:
- 4818 osatetezeka ku MITM
- 733 ali pachiwopsezo cha kutsekedwa kwathunthu kwa TLS
- 912 ali pachiwopsezo cha kutsekedwa pang'ono kwa TLS
Masamba a 898 ali otsegukiratu kubera, ndiko kuti, amalola jakisoni wa zolemba zakunja, ndipo masamba 977 amadzaza zomwe zili patsamba lotetezedwa bwino lomwe wowukira angagwirizane nawo.
Ofufuzawa akugogomezera kuti pakati pa 898 "zowonongeka kwathunthu" ndizogulitsa pa intaneti, ntchito zachuma ndi malo ena akuluakulu. Masamba 660 mwa 898 amatsitsa zolemba zakunja kuchokera kwa omwe ali pachiwopsezo: ichi ndiye gwero lalikulu la zoopsa. Malinga ndi olembawo, zovuta zamagwiritsidwe amakono a intaneti zimawonjezera kwambiri kuukira.
Mavuto ena adapezekanso: 10% ya mafomu ovomerezeka ali ndi vuto ndi kufalitsa kotetezedwa kwa zidziwitso, zomwe zimawopseza kutulutsa mawu achinsinsi, masamba a 412 amalola kuthamangitsidwa kwa ma cookie ndi kubedwa kwa gawo, ndipo masamba a 543 akuwukiridwa ndi kukhulupirika kwa cookie (kudzera m'ma subdomains) .
Vuto ndiloti m'zaka zaposachedwa mu ma protocol ndi mapulogalamu a SSL / TLS : POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE-2013-3587), ndi Heartbleed (CVE-2014-0160). Kuti muteteze kwa iwo, makonda angapo amafunikira pa seva ndi mbali ya kasitomala kuti apewe kugwiritsa ntchito mitundu yakale yomwe ili pachiwopsezo. Koma iyi ndi njira yocheperako, chifukwa zokonda zotere zimaphatikizapo kusankha kuchokera pagulu lambiri la ma ciphers ndi ma protocol, omwe ndi ovuta kuwamvetsetsa. Sizidziwika nthawi zonse kuti ndi ma cipher suites ndi ma protocol ati omwe amawonedwa ngati "otetezedwa mokwanira".
Makonda omwe akonzedwa
Palibe amene wavomerezedwa mwalamulo ndikuvomera pamndandanda wamakonzedwe ovomerezeka a HTTPS. Choncho, imapereka njira zingapo zosinthira, kutengera mulingo wofunikira wachitetezo. Mwachitsanzo, nayi zokonda zovomerezeka za seva ya nginx 1.14.0:
Masiku ano
Makasitomala akale omwe amathandizidwa: Firefox 27, Chrome 30, IE 11 pa Windows 7, Edge, Opera 17, Safari 9, Android 5.0, ndi Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Thandizo lapakati
Makasitomala akale omwe amathandizidwa: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Thandizo Lakale
Makasitomala akale omwe amathandizidwa: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Ndibwino kuti nthawi zonse muzigwiritsa ntchito cipher suite ndi mtundu waposachedwa wa OpenSSL. Cipher suite mu zoikamo za seva imatchula zofunikira zomwe zidzagwiritsidwe ntchito, kutengera makonda a kasitomala.
Kafukufuku akuwonetsa kuti sikokwanira kungoyika satifiketi ya HTTPS. "Ngakhale sitigwira ma cookie monga momwe tidachitira mu 2005, ndipo 'TLS yabwino' yakhala yofala, zikuwonekeratu kuti zinthu zofunikazi sizokwanira kuti tipeze masamba ambiri odziwika bwino," adatero. olemba ntchito. Kuti muteteze mayendedwe odalirika pakati pa seva ndi kasitomala, muyenera kuyang'anira mosamala zomanga zanu kuchokera kumagawo anu ang'onoang'ono ndi omwe ali ndi gulu lachitatu komwe zomwe patsambalo zimaperekedwa. Mwina ndizomveka kuyitanitsa kafukufuku kuchokera kukampani ina yachitatu yomwe imagwira ntchito zoteteza zidziwitso.
Source: www.habr.com