Imwe yemasaiti epamusoro eAlexa (yepakati denderedzwa), yakachengetedzwa neHTTPS, ine subdomain (grey) uye kutsamira (chena), pakati payo pane vanotambura (shaded)
Mazuva ano, iyo HTTPS yakachengeteka yekubatanidza icon yave yakajairwa uye inotodiwa hunhu hwechero yakakomba webhusaiti. Kana zvisipo, anenge ese mabhurawuza achangoburwa anoratidza yambiro iyo uye usakurudzire kuendesa ruzivo rwakavanzika kwairi.
Asi zvinoitika kuti kuvapo kwe "lock" mubhadha yekero haisi nguva dzose inovimbisa kuchengetedzwa. kubva ku Alexa ranking yakaratidza: vazhinji vavo vanooneswa kune yakakosha SSL/TLS protocol vulnerabilities, kazhinji kuburikidza ne subdomain kana kutsamira. Maererano nevanyori vezvidzidzo, kuoma kwekushandiswa kwemazuva ano kwewebhu kunowedzera zvakanyanya nzvimbo yekurwisa.
Mhedzisiro yekutsvaga
Chidzidzo ichi chakaitwa nenyanzvi kubva kuCa'Foscari University yeVenice (Italy) uye Vienna Technical University. Ivo vachapa rondedzero yakadzama ku40th IEEE Symposium yeChengetedzo uye Yakavanzika, ichaitwa Chivabvu 20-22, 2019 muSan Francisco.
Iwo epamusoro zviuru gumi eHTTPS masaiti pane Alexa's rondedzero uye 10 akabatana mauto akaongororwa. Kusagadzikana kwekriptographic masisitimu akaonekwa pane 000 mauto, kureva, angangoita 90% yehuwandu:
- 4818 vari panjodzi yeMITM
- 733 panjodzi yekuzara kweTLS decryption
- 912 iri panjodzi yekusarudzika TLS decryption
898 saiti dzakavhurika zvachose kubira, ndiko kuti, dzinobvumidza jekiseni rechitatu-bato zvinyorwa, uye 977 saiti dzinodhawunirodha zvirimo kubva kune isina kusimba akachengetedzwa mapeji ayo anorwisa anogona kusangana nawo.
Vatsvakurudzi vanosimbisa kuti pakati pe898 "zvakakanganiswa zvachose" zviwanikwa zvitoro zvepaIndaneti, mabasa emari uye mamwe masayiti makuru. 660 kubva pa898 saiti kurodha ekunze zvinyorwa kubva kune vari munjodzi: iyi ndiyo honze yengozi. Maererano nevanyori, kuoma kwekushandiswa kwewebhu kwemazuva ano kunowedzera zvakanyanya nzvimbo yekurwisa.
Mamwe matambudziko akawanikwa zvakare: 10% yemafomu ekubvumidza ane matambudziko nekufambiswa kwakachengeteka kweruzivo, izvo zvinotyisidzira kuburitswa kwepassword, 412 masaiti anobvumira kubvunzurudzwa kwemakuki uye "sesion kubiwa," uye 543 masaiti anotapukirwa nekurwiswa kwekiki kutendeseka (kuburikidza ne subdomains. )
Dambudziko nderekuti mumakore achangopfuura, SSL/TLS protocol uye software : POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE-2013-3587) uye Heartbleed (CVE-2014-0160). Kuti udzivirire kubva kwavari, akati wandei marongero anodiwa pane sevha uye mativi evatengi kudzivirira kushandiswa kweshanduro dzekare dzisina njodzi. Asi iyi inzira isiri-yediki, nekuti marongero akadaro anosanganisira kusarudza kubva kune yakakura seti ye ciphers uye mapuroteni, ayo akaoma kunzwisisa. Izvo hazviwanzo kujeka kuti ndeapi cipher suites uye mapuroteni anonzi "akachengeteka zvakakwana."
Zvirongwa zvinokurudzirwa
Iko hakuna munhu akatenderwa zviri pamutemo uye akabvumirana pane rondedzero yakakurudzirwa HTTPS marongero. Saka, inopa akati wandei magadzirirwo sarudzo, zvichienderana nedanho rinodiwa rekudzivirira. Semuenzaniso, heano marongero akakurudzirwa enginx 1.14.0 server:
Modern mode
Vatengi vekare vanotsigirwa: Firefox 27, Chrome 30, IE 11 paWindows 7, Edge, Opera 17, Safari 9, Android 5.0, uye Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Avhareji rutsigiro
Vatengi vekare vanotsigirwa: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Kutsigira kwekare
Vatengi vekare vanotsigirwa: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Zvinokurudzirwa kugara uchishandisa yakazara cipher suite uye yazvino vhezheni yeOpenSSL. Iyo seti ye ciphers mumaseting evhavha inoratidza kukoshesa kwavachashandiswa, zvichienderana nemagadzirirwo evatengi.
Tsvagiridzo inoratidza kuti kungoisa chitupa cheHTTPS hakuna kukwana. "Kunyangwe isu tisingabati makuki sezvatakaita muna 2005, uye 'ine hunhu TLS' yave chinhu chakajairika, zvinoitika kuti zvinhu zvakakosha izvi hazvina kukwana kuchengetedza nhamba yakakura zvinoshamisa yemasaiti ane mukurumbira," akadaro. vanyori vebasa. Kuti uchengetedze nekuvimbika chiteshi pakati pesevha nemutengi, iwe unofanirwa kunyatso tarisa zvivakwa zveyako subdomain uye yechitatu-bato mauto kubva kune izvo zvesaiti zvinopihwa. Zvingave zvine musoro kuodha yekuongorora kubva kune imwe yechitatu-bato kambani inoita nezvekuchengetedza ruzivo.
Source: www.habr.com