johnpoint

johnpoint

(。・∀・)ノ゙嗨
github
HomeArchives关于我小伙伴们

Still haven't added HTTPS to your website?

#安全#SSL#建站58
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article emphasizes the importance of using HTTPS for website security. It explains that while HTTPS is more secure than HTTP, it is not completely foolproof. The article includes a story about monks using encryption to exchange letters, highlighting the limitations of encryption methods. It also discusses the risks associated with self-signed certificates and the vulnerability of using common passwords. The article concludes by mentioning the trustworthiness issues with certain certificate authorities, specifically mentioning the case of WoSign and advising websites to replace their certificates.

slug: Haven't you added https to your website yet?
title: Haven't you added https to your website yet?
date: 2018-02-11 05:47:16
tags:

  • Security
  • SSL
  • Website Building
  • What is https?
    Now, please look at the address bar of your browser. You will see a green lock or a similar security symbol, indicating that my blog has added https to ensure the security of data transmission~

So, what is https?

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel with security as its goal. In simple terms, it is the secure version of HTTP.
From Baidu Baike

Simply put, https ensures that the content presented to you by this website has not been tampered with.

A Little Story#

However, https is not completely secure. I saw a story on Zhihu (a Chinese question-and-answer website) that goes like this: (Italicized comments are added by the author)

Once upon a time, there was a temple on the mountain, and there was a monk in the temple... Stop fooling around, here comes the old monk.

The young monk asked the old monk: Why does SSL make http secure?

The old monk replied: For example, you and I have the same password. When I send a message to you, I encrypt it with this password, and when you receive the message, you decrypt it with this password, so you can know the content of my message. Other idle people who secretly obtain the message can only sigh at the message because they don't know the password. This password is called a symmetric password. SSL uses symmetric passwords to encrypt and decrypt http content, making http secure. The commonly used encryption algorithms are mainly 3DES and AES.

The young monk touched his head and asked the old monk: Master, if we both choose "monk" as the password and create a monk algorithm, wouldn't our communication be worry-free?

The old monk gave the young monk a ruler on the head and said: Then I have to use "monk" as the password when I write a love letter to the little flower at the foot of the mountain, right? After thinking for a moment, the old monk gave the young monk another ruler: Although we are monks, not programmers, we can't reinvent the wheel. In the past, a group of talented programmers created the security algorithm WEP for Wifi, but later found out that it was a decorative pillow, which became a joke in the security community. Besides, the little flower only knows 3DES and AES, how would she know the monk algorithm?

The young monk asked: What should we do then?

The old monk said: As long as you and I know the password for each message, we can read each other's encrypted letters. The key is how we know this symmetric password between us. If I write the password in a letter to her and the letter is stolen, then everyone will know our password and be able to understand our love letters. But there is a solution. Here, I use the secret asymmetric password passed down in the martial arts world. I now have two passwords in my hands, one is called "public key" and the other is called "private key". The public key is published in the martial arts world and many people know it, but the private key, only I know in the martial arts world. These two keys are mathematically related, which means that a message encrypted with the public key can be decrypted with the private key, but it cannot be decrypted with the public key. Little Flower knows the public key. Every time she writes a letter to me, she encrypts her symmetric password with my public key, writes a separate password paper, and then encrypts her letter with her symmetric password. In this way, I can use my private key to decrypt this symmetric password and then use this symmetric password to decrypt her letter.

This encryption method is called generating a self-signed certificate. This method is not completely secure, and it is manifested as a red https with a strikethrough in the Chrome address bar.

The old monk paused and said: Unfortunately, she always uses symmetric passwords like "Why does the monk write love letters", so every time I decrypt the password paper, I am always disappointed. In fact, the symmetric passwords I prefer are things like "Wind and Flowers" and "Snow and Moon". The most troublesome thing is that I have to use the password "Why does the monk write love letters" to encrypt the love letters I write back to Little Flower. The most painful thing in the world is this. But little did I know that there was someone more miserable than me. Zhang the butcher at the foot of the mountain has been secretly in love with Little Flower for many years. Seeing our correspondence, he felt very uncomfortable and took the initiative to replace the pilgrims to deliver our letters. The first time he delivered a letter to Little Flower, he gave her his own public key, falsely claiming that it was my updated public key. Little Flower believed it, and all subsequent password papers were encrypted with Zhang the butcher's public key. After Zhang the butcher received the reply, he decrypted Little Flower's symmetric password with his private key, and not only could he see all the contents of Little Flower's letter, but he could also use this password to forge letters from Little Flower to me. He could also encrypt letters to Little Flower with his private key. Gradually, I noticed that the letters had changed. Although I was suspicious, I had no concrete evidence. Once I wrote a letter asking Little Flower about the first symmetric password she used, and the password "Why does the monk write love letters" was listed in the reply. So my doubts were slightly relieved. It wasn't until I went to visit the old abbot of Shaolin Temple on Song Mountain that I realized that because my public key didn't have a fire seal, anyone could forge a public key claiming to be mine. In this way, this person could read the letters written to me by others, forge letters written to me by others, and read my replies. This kind of martial arts skill is called "Man-in-the-middle attack". The only way to crack it is to use the fire seal of Shaolin Temple (a certificate issued by a CA organization). This fire seal is quite particular. I need to submit my public key and my position in the martial arts world to the 18 Arhats Committee. They will use the committee's private key to digitally sign based on this information, and the signed information will be highlighted on the fire seal. The authenticity of the public key with the fire seal is unquestionable in the martial arts world. You should know that no one dares to offend the 18 Arhats.

The young monk asked: What happened next?

The old monk said: When I returned to the temple from Shaolin Temple on Song Mountain, I personally delivered the public key with the fire seal to Little Flower, but I never received any letters from her afterwards. It wasn't until a year later that I found out that Little Flower had indeed written letters to me. At that time, the letters were indeed encrypted with the public key with the fire seal. After Zhang the butcher received the letters, because he didn't know my private key, he couldn't decrypt Little Flower's password-protected letters, so he burned all the letters in anger. Also, because Zhang the butcher couldn't know Little Flower's symmetric password and couldn't reply to her, Little Flower's letters went unanswered and she became suspicious, asking around about my well-being. Zhang the butcher became anxious. He used my published public key and sent me a letter in the tone of Little Flower. When I received the letter, I felt strange. Why did the letter smell like lard? And at the end, it even asked about my private key with concern. Knowing that it was a trap, I thought about finding a way to confirm whether the letter was really written by Little Flower. Later, I came up with a solution...

The old monk touched his bald head and said: I didn't lose my hair in vain. I asked a pilgrim to pass a message to Little Flower, telling her that I was fine and hoping that she would have her own happiness, no, her own pair of asymmetric keys. After Little Flower entrusted the Little Town Beauty Association to put a fire seal on her public key, she asked the pilgrim to deliver it to me. So every time Little Flower writes a letter to me, she will stick a small peony on the password paper, and write a message encrypted with her own private key on the peony. When I receive a letter claiming to be from Little Flower, I will first take out the password paper, remove the peony, and use Little Flower's public key to decrypt this message. If I can't decrypt it, I will directly throw away the entire letter along with the password paper, because this letter must not be written by Little Flower. If I can decrypt it, then I can be sure that the letter is from Little Flower, and I will carefully decode and read it.

The young monk said: No wonder I heard that Zhang the butcher was driven to death. Your love letters are so complicated that it gives me a headache. When I grow up, I will just shout loudly to the people below the mountain if I have something to say, so I don't have to go through all this trouble. But I understand what the person upstairs said. The handshake phase of SSL is indeed about checking the fire seal, reading the peony, and decrypting the password paper. It is really troublesome. Once both parties know the symmetric password, the decoding and reading phase will be much smoother.

Edited on 2014-04-28

Copyright belongs to the author.

Source: How much more server resources does HTTPS use compared to HTTP? Answer by Mu Xudong

However, not all certificates issued by CA organizations are trustworthy. For example:

Violating multiple certificate authority requirements, Chrome completely cancels trust in China WoSign's SSL certificates

In September 2016, Mozilla exposed WoSign's forgery of certificate issuance dates and concealment of acquisitions, and announced the suspension of trust in certificates issued by the organization. Apple and Google followed suit. Recently, Google announced that after the release of a new version in September, its Chrome browser will cancel trust in all certificates issued by WoSign and its acquisition StartCom, regardless of whether they are new or old. It is recommended that websites currently using these digital certificates consider replacing them.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.