Imodzi mwamasamba apamwamba a Alexa (chapakati bwalo), otetezedwa ndi HTTPS, okhala ndi ma subdomains (imvi) ndi zodalira (zoyera), pakati pawo pali omwe ali pachiwopsezo (shading shading)
Masiku ano, chizindikiro cholumikizira chotetezedwa cha HTTPS chakhala chokhazikika komanso chofunikira pa tsamba lililonse lalikulu. Ngati
Koma zikuwoneka kuti kukhalapo kwa "lock" mu bar ya adilesi sikutsimikizira chitetezo nthawi zonse.
Zotsatira za kafukufuku
Kafukufukuyu adachitidwa ndi akatswiri ochokera ku yunivesite ya Venice Ca' Foscari (Italy) ndi Vienna Technical University. Apereka lipoti latsatanetsatane ku 40th IEEE Symposium on Security and Privacy, yomwe idzachitika Meyi 20-22, 2019 ku San Francisco.
Masamba apamwamba 10 a Alexa a HTTPS ndi 000 ogwirizana nawo adayesedwa. Masanjidwe osatetezeka a cryptographic adapezeka pa makamu a 90, ndiye kuti, pafupifupi 816% ya onse:
- 4818 osatetezeka ku MITM
- 733 ali pachiwopsezo cha kutsekedwa kwathunthu kwa TLS
- 912 ali pachiwopsezo cha kutsekedwa pang'ono kwa TLS
Masamba a 898 ali otsegukiratu kubera, ndiko kuti, amalola jakisoni wa zolemba zakunja, ndipo masamba 977 amadzaza zomwe zili patsamba lotetezedwa bwino lomwe wowukira angagwirizane nawo.
Ofufuzawa akugogomezera kuti pakati pa 898 "zowonongeka kwathunthu" ndizogulitsa pa intaneti, ntchito zachuma ndi malo ena akuluakulu. Masamba 660 mwa 898 amatsitsa zolemba zakunja kuchokera kwa omwe ali pachiwopsezo: ichi ndiye gwero lalikulu la zoopsa. Malinga ndi olembawo, zovuta zamagwiritsidwe amakono a intaneti zimawonjezera kwambiri kuukira.
Mavuto ena adapezekanso: 10% ya mafomu ovomerezeka ali ndi vuto ndi kufalitsa kotetezedwa kwa zidziwitso, zomwe zimawopseza kutulutsa mawu achinsinsi, masamba a 412 amalola kuthamangitsidwa kwa ma cookie ndi kubedwa kwa gawo, ndipo masamba a 543 akuwukiridwa ndi kukhulupirika kwa cookie (kudzera m'ma subdomains) .
Vuto ndiloti m'zaka zaposachedwa mu ma protocol ndi mapulogalamu a SSL / TLS
Makonda omwe akonzedwa
Palibe amene wavomerezedwa mwalamulo ndikuvomera pamndandanda wamakonzedwe ovomerezeka a HTTPS. Choncho,
Masiku ano
Makasitomala akale omwe amathandizidwa: Firefox 27, Chrome 30, IE 11 pa Windows 7, Edge, Opera 17, Safari 9, Android 5.0, ndi Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Thandizo lapakati
Makasitomala akale omwe amathandizidwa: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Thandizo Lakale
Makasitomala akale omwe amathandizidwa: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Ndibwino kuti nthawi zonse muzigwiritsa ntchito cipher suite ndi mtundu waposachedwa wa OpenSSL. Cipher suite mu zoikamo za seva imatchula zofunikira zomwe zidzagwiritsidwe ntchito, kutengera makonda a kasitomala.
Kafukufuku akuwonetsa kuti sikokwanira kungoyika satifiketi ya HTTPS. "Ngakhale sitigwira ma cookie monga momwe tidachitira mu 2005, ndipo 'TLS yabwino' yakhala yofala, zikuwonekeratu kuti zinthu zofunikazi sizokwanira kuti tipeze masamba ambiri odziwika bwino," adatero.
Source: www.habr.com