Shulou(Shulou.com)06/01 Report--

HTTPS News

V there are still more than 3 million Windows server2003, XP and Vista users in China. Microsoft has already announced that it will no longer update "Windows server2003, XP, Vista". Due to the lack of security reinforcement, the use of these systems for web data exchange is more likely to cause security incidents: user information disclosure, system exposure, funds theft, data theft, and so on.

V many large foreign Internet companies have enabled HTTPS, which is also the trend of the Internet in the future.

V Baidu is the first site-wide deployment of HTTPS in China, which will play a huge role in promoting the HTTPS process of the domestic Internet.

V most domestic websites do not deploy HTTPS all over the country, but only enable HTTPS on some sub-pages / sub-requests involving accounts or transactions.

V both Microsoft and google have announced that they will no longer support sha1 signing certificates in 2016 and after 2017.

V Mozilla is even more determined to stop supporting SSL of the sha1 algorithm from July 1, 2016.

Introduction

Recently, a friend asked me why many websites have become "https://XXX"". This is because http data transmission is not secure, while https can protect user privacy and prevent traffic hijacking.

Of course, "TLS1.0 and SSL3.0" in https are no longer safe.

So how do you use https to be safe? Here is a brief introduction to the solution provided by https.

Overview of HTTPS

HTTPS can be thought of as HTTP + TLS

V HTTP protocol is familiar to everyone. At present, most WEB applications and websites are transmitted using HTTP protocol.

V TLS is a transport layer encryption protocol, its predecessor is SSL protocol, which was first issued by netscape in 1995, and changed its name to TLS after IETF discussion and specification in 1999. If not specified, both SSL and TLS are talking about the same protocol.

The location of HTTP and TLS at the protocol layer and the composition of the TLS protocol, as shown below:

V TLS protocol mainly has five parts: application data layer protocol, handshake protocol, alarm protocol, encrypted message confirmation protocol, heartbeat protocol.

The v TLS protocol itself is transmitted by the record protocol, and the format of the record protocol is shown at the far right of the figure above.

At present, the commonly used HTTP protocol is HTTP1.1, and the commonly used TLS protocol versions are as follows: TLS1.2, TLS1.1, TLS1.0 and SSL3.0.

Among them, SSL3.0 has been proved to be insecure due to POODLE *, but statistics show that less than 1% of browsers still use SSL3.0. TLS1.0 also has some security vulnerabilities, such as RC4 and BEAST.

TLS1.2 and TLS1.1 have no known security vulnerabilities and are relatively secure. At the same time, there are a large number of extensions to improve speed and performance. It is recommended that you use them. However, Windows server2003, XP, and Vista do not support TLS1.1 and TLS1.2.

It is important to note that TLS1.3 will be a very major reform of the TLS protocol. Both security and user access speed will be qualitatively improved. However, there is no clear release time.

At the same time, HTTP2 has also been formally finalized. Compared with HTTP1.1, this protocol evolved from SPDY protocol is a very significant change, which can significantly improve the efficiency of application layer data transmission.

How can I use HTTPS safely?

HTTP itself is transmitted in clear text without any security processing.

For example, a user searches for a keyword on Baidu, such as "iPhone", and the middleman can see the information and may call to harass the user. When some users complain about using Baidu, they find that there is a long, large advertisement floating on the home page or the result page, which must be the ad content inserted into the page by the middleman. If the hijacking technology is inferior, users can't even access Baidu.

The middleman mentioned here mainly refers to some network nodes, which are the nodes through which user data must be transferred between the browser and the web server. Such as WIFI hotspots, routers, firewalls, reverse proxies, cache servers, etc.

Under the HTTP protocol, middlemen can sniff users' search content at will, steal privacy and even tamper with web pages. However, HTTPS is the nemesis of these hijackings and can be completely effective in defense. In general, the HTTPS protocol provides three powerful features to combat the hijacking mentioned above:

V content encryption: the content from the browser to the web server is transmitted in encrypted form, and the middleman cannot view the original content directly.

Encryption algorithms are generally divided into two types, symmetric encryption and asymmetric encryption. The so-called symmetric encryption (also known as key encryption) means that encryption and decryption use the same key. Asymmetric encryption (also known as public key encryption) means that different keys are used for encryption and decryption.

V identity authentication: ensure that the user accesses the web service. Even if the user is hijacked to a third-party site by DNS, it will remind the user that he has not accessed the web service and may be hijacked.

Identity authentication mainly involves PKI and digital certificates. Usually the PKI (Public key Infrastructure) consists of the following parts:

End entity: terminal entity, which can be a terminal hardware or a website

CA: certificate issuing authority

RA: certificate registration and audit organization. Such as checking the authenticity of the application website or the company.

CRL issuer: responsible for issuing and maintaining certificate revocation list

Repository: responsible for digital certificate and CRL content storage and distribution

V data integrity: prevent content from being impersonated or tampered with by third parties.

Openssl now uses two integrity checking algorithms: MD5 or SHA. As MD5 is likely to conflict in practical applications, try not to use MD5 to verify content consistency. SHA also cannot use SHA0 and SHA1. Professor Wang Xiaoyun of Shandong University in China announced that he had cracked the full version of the SHA-1 algorithm in 2005. The five algorithms of the SHA family are SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512, and the last four are sometimes called SHA-2.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.