Ọkan ninu awọn aaye oke ti Alexa (aarin aarin), ti o ni aabo nipasẹ HTTPS, pẹlu awọn agbegbe (awọ grẹy) ati awọn igbẹkẹle (funfun), laarin eyiti awọn ti o ni ipalara wa (iboji ti a fi silẹ)
Ni ode oni, aami asopọ HTTPS ti o ni aabo ti di boṣewa ati paapaa abuda pataki ti eyikeyi aaye pataki. Ti o ba jẹ
Ṣugbọn o wa ni pe wiwa “titiipa” kan ninu ọpa adirẹsi ko ṣe iṣeduro aabo nigbagbogbo.
Awọn abajade iwadi
Iwadi naa ni a ṣe nipasẹ awọn amoye lati Ile-ẹkọ giga ti Venice Ca 'Foscari (Italy) ati Ile-ẹkọ Imọ-ẹrọ Vienna. Wọn yoo ṣafihan ijabọ alaye ni 40th IEEE Symposium lori Aabo ati Aṣiri, eyiti yoo waye May 20-22, 2019 ni San Francisco.
Awọn aaye HTTPS 10 ti o ga julọ Alexa ati awọn agbalejo 000 ti o ni ibatan ni idanwo. Awọn atunto cryptographic ti o ni ipalara ni a rii lori awọn agbalejo 90, iyẹn ni, isunmọ 816% ti lapapọ:
- 4818 jẹ ipalara si MITM
- 733 jẹ ipalara si pipadii TLS ni kikun
- 912 jẹ ipalara si apakan TLS decryption
Awọn aaye 898 ti ṣii patapata fun gige sakasaka, iyẹn ni, wọn gba abẹrẹ ti awọn iwe afọwọkọ ajeji, ati awọn aaye 977 kojọpọ akoonu lati awọn oju-iwe ti o ni aabo ti ko dara ti ikọlu le ṣe pẹlu.
Awọn oniwadi n tẹnuba pe laarin awọn ohun elo 898 "ijẹju patapata" jẹ awọn ile itaja ori ayelujara, awọn iṣẹ inawo ati awọn aaye nla miiran. 660 ninu awọn aaye 898 ṣe igbasilẹ awọn iwe afọwọkọ ita lati ọdọ awọn ọmọ ogun ti o ni ipalara: eyi ni orisun akọkọ ti ewu. Gẹgẹbi awọn onkọwe, idiju ti awọn ohun elo wẹẹbu ode oni pọ si dada ikọlu pupọ.
Awọn iṣoro miiran ni a tun rii: 10% ti awọn fọọmu aṣẹ ni awọn iṣoro pẹlu ifitonileti aabo ti alaye, eyiti o ṣe ihalẹ lati jo awọn ọrọ igbaniwọle, awọn aaye 412 ngbanilaaye ikọlu awọn kuki ati jija igba, ati awọn aaye 543 jẹ koko ọrọ si awọn ikọlu lori iduroṣinṣin kuki (nipasẹ awọn subdomains). .
Iṣoro naa ni pe ni awọn ọdun aipẹ ni awọn ilana SSL / TLS ati sọfitiwia
Niyanju eto
Ko si ẹnikan ti a fọwọsi ni ifowosi ati adehun lori atokọ ti awọn eto HTTPS ti a ṣeduro. Nitorina,
Modern Ipo
Awọn onibara atilẹyin julọ: Firefox 27, Chrome 30, IE 11 lori Windows 7, Edge, Opera 17, Safari 9, Android 5.0, ati Java 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Atilẹyin alabọde
Awọn onibara atilẹyin julọ: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
Atilẹyin Atijọ
Awọn onibara atilẹyin julọ: Windows XP IE6, Java 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
A ṣe iṣeduro pe ki o nigbagbogbo lo suite cipher kikun ati ẹya tuntun ti OpenSSL. Suite cipher ti o wa ninu awọn eto olupin ṣalaye pataki ninu eyiti wọn yoo ṣee lo, da lori awọn eto alabara.
Iwadi fihan pe ko to lati kan fi ijẹrisi HTTPS kan sori ẹrọ. “Lakoko ti a ko mu awọn kuki bi a ti ṣe ni ọdun 2005, ati pe “TLS ti o tọ” ti di ibi ti o wọpọ, o han pe awọn nkan ipilẹ wọnyi ko to lati ni aabo nọmba iyalẹnu ti awọn aaye olokiki pupọ,”
orisun: www.habr.com