O se tasi o nofoaga pito i luga ole Alexa (li'o tutotonu), fa'amautu e le HTTPS, fa'atasi ai ma subdomains (efuefu) ma fa'alagolago (pa'epa'e), o lo'o i ai i latou e vaivai (paolo paolo)
I aso nei, o le HTTPS secure connection icon ua avea ma tulaga masani ma e oʻo lava i se uiga talafeagai o soʻo se nofoaga ogaoga. Afai misi, toetoe lava o suʻesuʻega lata mai uma o loʻo faʻaalia se lapataiga e faapea ma e le fautuaina le fesiitaiga o faamatalaga faalilolilo i ai.
Ae e foliga mai o le i ai o se "loka" i le pusa tuatusi e le o taimi uma e mautinoa ai le puipuiga. mai le fua fa'atatau, na fa'aalia e Alexa o le to'atele oi latou o lo'o a'afia i fa'afitauli fa'aletonu i le SSL / TLS protocols, e masani lava e ala i subdomains po'o fa'alagolago. E tusa ai ma tusitala o le suʻesuʻega, o le lavelave o faʻaoga i luga ole laiga faʻaonaponei e matua faateleina ai le osofaʻiga.
Iʻuga o suʻesuʻega
O le suʻesuʻega na faia e tagata atamamai mai le Iunivesite o Venise Ca 'Foscari (Italia) ma le Vienna Technical University. O le a latou tuʻuina atu se faʻamatalaga auiliili i le 40th IEEE Symposium on Security and Privacy, lea o le a faia ia Me 20-22, 2019 i San Francisco.
O le pito i luga ole 10 Alexa lisi HTTPS nofoaga ma 000 'au e fesoʻotaʻi na faʻataʻitaʻiina. O fa'atonuga fa'aletonu fa'apitoa na maua i luga o 'au e 90, o lona uiga, e tusa ma le 816% o le aofa'i:
- 4818 vaivai ile MITM
- 733 e a'afia i le fa'amama atoatoa o le TLS
- 912 e a'afia i se vaega TLS decryption
898 nofoaga o loʻo tatala atoatoa i le hacking, o lona uiga, latou te faʻatagaina le tuiina o tusitusiga a isi vaega, ma 977 nofoaga o loʻo faʻapipiʻiina mea mai itulau le puipuia e mafai ona fegalegaleai ai se tagata osofaʻi.
O loʻo faʻamamafaina e le au suʻesuʻe i totonu o le 898 "matua faʻafefeteina" punaoa o faleoloa i luga ole laiga, auaunaga tau tupe ma isi nofoaga tetele. 660 mai le 898 nofoaga e la'u mai ai tusitusiga mai fafo mai 'au fa'aletonu: o le fa'apogai autu lea o le lamatiaga. E tusa ai ma le au tusitala, o le lavelave o faʻaoga i luga ole laiga faʻaonaponei e matua faateleina ai le osofaʻiga.
Na maua foi isi faafitauli: 10% o pepa faʻatagaina o loʻo i ai faʻafitauli i le saogalemu o le tuʻuina atu o faʻamatalaga, lea e faʻamataʻu ai le leak passwords, 412 nofoaga e faʻatagaina ai le faʻaogaina o kuki ma le faʻaolaina o sauniga, ma 543 nofoaga e mafai ona osofaʻia i luga o le faʻamaoni kuki (e ala i subdomains) .
O le faʻafitauli o le i tausaga talu ai nei i le SSL / TLS protocols ma software : POODLE (CVE-2014-3566), MANU (CVE-2011-3389), SOLIGA (CVE-2012-4929), FA'AIGA (CVE-2013-3587), ma le Heartbleed (CVE-2014-0160). Ina ia puipuia mai i latou, e manaʻomia le tele o faʻatulagaga i luga o le 'auʻaunaga ma le itu o tagata faʻatau e aloese ai mai le faʻaaogaina o faʻamatalaga tuai. Ae o se faiga e le taua tele, aua o ia tulaga e aofia ai le filifilia mai se seti tele o ciphers ma protocols, lea e faigata tele ona malamalama i ai. E le'o manino i taimi uma po'o fea su'ega ma fa'atonuga o lo'o ta'ua e "lava le saogalemu".
Fautuaina tulaga
E leai se tasi e faʻamaonia aloaia ma malilie i luga ole lisi o faʻatonuga HTTPS faʻatulagaina. O lea, ofo atu le tele o filifiliga fa'atulagaina, e fa'atatau i le tulaga mana'omia o le puipuiga. Mo se faʻataʻitaʻiga, o tulaga fautuaina nei mo se server nginx 1.14.0:
Faiga fa'aonaponei
Tagata tuai e lagolagoina: Firefox 27, Chrome 30, IE 11 ile Windows 7, Edge, Opera 17, Safari 9, Android 5.0, ma Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Lagolago feololo
Tagata tuai e lagolagoina: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Lagolago Tuai
Tagata tuai e lagolagoina: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}E fautuaina e te fa'aaoga i taimi uma le sipi fa'asolo atoa ma le lomiga lata mai o OpenSSL. O le cipher suite i totonu o le server settings o loʻo faʻamaoti mai ai le faʻamuamua o le a faʻaaogaina, faʻalagolago i tulaga o tagata o tausia.
O suʻesuʻega e faʻaalia e le lava le naʻo le faʻapipiʻiina o se tusi faamaonia HTTPS. "E ui ina matou le taulimaina kuki e pei ona matou faia i le 2005, ma 'TLS lelei' ua avea ma mea masani, e foliga mai o nei mea faavae e le lava e faʻamautu ai se numera tele o nofoaga lauiloa," o tusitala o le galuega. Ina ia puipuia ma le mautinoa le auala i le va o le server ma le kalani, e tatau ona e mataʻituina ma le totoa atinaʻe mai au lava subdomains ma vaega lona tolu o loʻo tuʻuina atu ai mea mo le saite. Masalo e talafeagai le faʻatonuina o se suʻega mai se kamupani lona tolu e faʻapitoa i le saogalemu o faʻamatalaga.
puna: www.habr.com