E 'ngoe ea libaka tse holimo tsa Alexa (selika-likoe se bohareng), se sirelelitsoeng ke HTTPS, se nang le li-subdomain (tse bohlooho) le li-propencies (tse tšoeu), tseo har'a tsona ho nang le tse tlokotsing (moriti)
Matsatsing ana, letšoao la khokahano e sireletsehileng ea HTTPS e se e le tšobotsi e tloaelehileng le e hlokahalang ho webosaete efe kapa efe e tebileng. Haeba e sieo, hoo e ka bang libatli tsohle tsa morao-rao li bonts'a temoso ea hore 'me u se ke ua khothaletsa ho fetisetsa boitsebiso ba lekunutu ho eona.
Empa ho fumaneha hore boteng ba "lock" ka har'a bara ea aterese hase kamehla bo tiisang tšireletso. ho tsoa boemong ba Alexa bo bonts'itsoeng: ba bangata ba bona ba pepesehetse bofokoli bo tebileng ba protocol ea SSL/TLS, hangata ka li-subdomain kapa ho its'etleha. Ho ea ka bangoli ba thuto, ho rarahana ha lisebelisoa tsa morao-rao tsa marang-rang ho eketsa haholo sebaka sa tlhaselo.
Liphetho tsa lipatlisiso
Boithuto bona bo entsoe ke litsebi tse tsoang Univesithing ea Ca' Foscari ea Venice (Italy) le Univesithi ea Vienna Technical. Ba tla fana ka tlaleho e qaqileng ho Symposium ea 40 ea IEEE mabapi le Tšireletso le Lekunutu, e tla tšoaroa ka May 20-22, 2019 San Francisco.
Liwebsaete tse kaholimo ho 10 tsa HTTPS lethathamong la Alexa le baamoheli ba amanang le 000 ba ile ba hlahlojoa. Litlhophiso tsa li-cryptographic tse kotsing li ile tsa bonoa ho batho ba 90, ke hore, hoo e ka bang 816% ea kakaretso:
- 4818 ba tlokotsing ho MITM
- 733 e kotsing ea ho hlakoloa ka botlalo ho TLS
- 912 e kotsing ea ho hlakoloa ka mokhoa o itseng oa TLS
Liwebsaete tsa 898 li bulehile ka ho feletseng bakeng sa ho qhekelloa, ke hore, li lumella ho kenngoa ha mangolo a mang, 'me libaka tsa 977 li khoasolla litaba tse tsoang maqepheng a fokolang a sirelelitsoeng ao mohlaseli a ka kopanang le 'ona.
Bafuputsi ba hatisa hore har'a mehloli ea 898 "e sekiselitsoeng ka ho feletseng" ke mabenkele a marang-rang, litšebeletso tsa lichelete le libaka tse ling tse kholo. Liwebsaete tse 660 ho tse 898 li khoasolla mangolo a kantle ho batho ba tlokotsing: ona ke mohloli o ka sehloohong oa kotsi. Ho ea ka bangoli, ho rarahana ha lisebelisoa tsa morao-rao tsa marang-rang ho eketsa haholo sebaka sa tlhaselo.
Mathata a mang hape a ile a sibolloa: 10% ea liforomo tsa tumello e na le mathata ka phetiso e sireletsehileng ea tlhahisoleseling, e sokelang ho tsoa ha password, libaka tsa 412 li lumella ho ts'oaroa ha li-cookies le "ho koeteloa ha nako," mme libaka tsa 543 li kotsing ea ho hlaseloa ke botšepehi ba li-cookie (ka li-subdomain). ).
Bothata ke hore lilemong tsa morao tjena, li-protocol tsa SSL/TLS le software : POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE-2013-3587) le Heartbleed (CVE-2014-0160). Ho itšireletsa khahlanong le bona, ho hlokahala litlhophiso tse 'maloa ho seva le mahlakoreng a bareki ho qoba tšebeliso ea liphetolelo tsa khale tse tlokotsing. Empa ona ke mokhoa o sa reng letho, hobane litlhophiso tse joalo li kenyelletsa ho khetha ho tsoa ho sete e pharaletseng ea li-ciphers le liprothokholo, tseo ho leng thata ho li utloisisa. Hase kamehla ho hlakileng hore na ke li-cipher suites le liprothokholo life tse nkoang li "sireletsehile ka ho lekaneng."
Litlhophiso tse khothalletsoang
Ha ho na motho ea amohetsoeng ka molao le lethathamong la litlhophiso tsa HTTPS tse khothalelitsoeng. Kahoo, e fana ka likhetho tse 'maloa tsa tlhophiso, ho latela boemo bo hlokahalang ba ts'ireletso. Mohlala, mona ke litlhophiso tse khothaletsoang bakeng sa seva sa nginx 1.14.0:
Mokhoa oa kajeno
Basebelisi ba khale ba tšehelitsoeng: Firefox 27, Chrome 30, IE 11 ho Windows 7, Edge, Opera 17, Safari 9, Android 5.0, le Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Karolelano ea tšehetso
Basebelisi ba khale ba tšehelitsoeng: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Tšehetso ea khale
Basebelisi ba khale ba tšehelitsoeng: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}Ho khothaletsoa ho sebelisa "cipher suite" e felletseng le mofuta oa morao-rao oa OpenSSL. Sehlopha sa li-ciphers ho li-setting tsa seva se bontša hore na li tla sebelisoa joang pele, ho itšetlehile ka litlhophiso tsa bareki.
Lipatlisiso li bontša hore ho kenya setifikeiti sa HTTPS feela ha hoa lekana. "Le ha re sa tšoare li-cookies joalo ka ha re ile ra etsa ka 2005, 'me" TLS e ntle" e se e tloaelehile, ho ile ha fumaneha hore lintho tsena tsa mantlha ha lia lekana ho boloka palo e kholo ea libaka tse tsebahalang haholo," bangodi ba mosebetsi. Ho sireletsa mocha ka mokhoa o ts'eptjoang lipakeng tsa seva le moreki, o hloka ho lekola ka hloko lits'ebetso tsa li-subdomain tsa hau le ba amohelang batho ba bang moo litaba tsa sebaka sa marang-rang li fanoang ho tsona. E ka 'na ea e-ba ntho e utloahalang ho laela tlhahlobo ea lichelete ho tsoa k'hamphaning ea boraro e sebetsanang le ts'ireletso ea tlhahisoleseding.
Source: www.habr.com