johnpoint

johnpoint

(。・∀・)ノ゙嗨
github
HomeArchives关于我小伙伴们

Still haven't added HTTPS to your website?

#安全#SSL#建站32
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text discusses the importance of adding HTTPS to websites for security purposes. It explains that HTTPS ensures that website content is not tampered with and mentions a story about a monk explaining symmetric passwords in SSL. It also discusses the use of self-signed certificates, the vulnerability of using a common password, and the need for digital signatures from trusted authorities. The text ends with a mention of the untrustworthiness of certificates issued by WoSign and the recommendation to replace them.

slug: Haven't added https to your website yet?
title: Haven't added https to your website yet?
date: 2018-02-11 05:47:16
tags:

  • Security
  • SSL
  • Website Building
  • What is https?
    Now, please look at the address bar of your browser, you will see a green lock or a similar security symbol, which means my blog has added https to ensure the security of data transmission~

So, what is https?

HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel with security as its goal. In simple terms, it is the secure version of HTTP.
From Baidu Baike

Simply put, https ensures that the content presented to you by this website has not been tampered with.

A little story#

However, https is not completely secure. I saw a story on Zhihu (a Chinese Q&A platform) that goes like this: (Italicized comments are added by the author)

Once upon a time, there was a temple on the mountain, and there was a monk in the temple... Stop messing around, the old monk is here.

The young monk asked the old monk: Why does SSL make HTTP secure?

The old monk replied: For example, you and I have the same password. When I send a letter to you, I encrypt it with this password. When you receive the letter, you decrypt it with this password, and you can know the content of my letter. Other idle people who secretly obtain the letter can only sigh at the letter because they don't know the password. This password is called a symmetric password. SSL uses symmetric passwords to encrypt and decrypt HTTP content, making HTTP secure. The commonly used encryption algorithms are mainly 3DES and AES.

The young monk touched his head and asked the old monk: Master, if we both choose "monk" as the password and create a monk algorithm, wouldn't our communication be worry-free?

The old monk gave the young monk a ruler on the head: Then, if I want to write a love letter to the little flower down the mountain, do I have to use the password "monk"? After thinking about it, the old monk gave the young monk another ruler: Although we are monks, not programmers, we can't reinvent the wheel. In the past, a group of talented programmers created the security algorithm WEP for Wifi, but later found out that it was a decorative pillow, which became a joke in the security community. Besides, the little flower only knows 3DES and AES, how would she know the monk algorithm?

The young monk asked: Then what should we do, Master?

The old monk said: As long as you and I know the password for each letter, we can read each other's encrypted letters. The key is how we know this symmetric password between us. You see, if I write the password in a letter to her, and the letter is stolen by someone else, then everyone will know our password and be able to understand our love letters. But there is a solution. Here, I used the secret asymmetric password passed down in the martial arts world. I now have two passwords in my hands, one is called "public key" and the other is called "private key". The public key is published in the martial arts world, and many people know it, but the private key, only I know in the martial arts world. These two keys are mathematically related, which means that a letter encrypted with the public key can be decrypted with the private key, but it cannot be decrypted with the public key. The little flower knows the public key, so every time she writes a letter to me, she encrypts her symmetric password with my public key, writes a separate password paper, and then encrypts her letter with her symmetric password. In this way, I can use my private key to decrypt this symmetric password and then use this symmetric password to decrypt her letter.

This encryption method is called generating a self-signed certificate. This method is not completely secure, and it is manifested as a red https with a crossed-out address bar in Chrome.

The old monk paused: Unfortunately, she always uses symmetric passwords like "Why does the monk write love letters", so every time I decrypt the password paper, I am always disappointed. In fact, the symmetric passwords I prefer are things like "wind and flowers" and "snow and moon". The most troublesome thing is that I still have to use the password "Why does the monk write love letters" to encrypt the love letters I write back to the little flower. The most painful thing in the world is this. But little did I know that there was someone more miserable than me. Zhang the butcher down the mountain has been secretly in love with the little flower for many years. Seeing our letters, he felt uncomfortable in his heart and took the initiative to replace the pilgrims to deliver our letters. The first time he delivered a letter to the little flower, he gave her his own public key, falsely claiming that it was my updated public key. The little flower believed it, and all subsequent password papers were encrypted with Zhang's public key. After Zhang received the reply, he used his private key to decrypt the little flower's symmetric password, and then he could not only see the content of the little flower's letter, but also forge letters from the little flower to me. He could also encrypt letters to the little flower with his private key. Gradually, I found that the letters had changed. Although I was suspicious, I had no concrete evidence. Once I wrote a letter asking the little flower about the first symmetric password she used, and the password "Why does the monk write love letters" was listed in the reply. So my doubts were slightly relieved. It wasn't until I went to visit the old abbot of Shaolin Temple on Song Mountain that I realized that because my public key didn't have a fire seal, anyone could forge a public key claiming to be mine. In this way, this person could read the letters written to me by others, forge letters written to me by others, and read my replies. This kind of martial arts skill is called "Man-in-the-middle attack". The only way to crack it is to use the fire seal of Shaolin Temple (a certificate issued by a CA organization). This fire seal is very particular. I need to submit my public key and my personal status in the martial arts world to the 18 Arhats Committee. They will use the committee's private key to digitally sign based on this information, and the signed information will be highlighted on the fire seal. The authenticity of the public key with the fire seal is unquestionable in the martial arts world. You should know that no one dares to offend the 18 Arhats.

The young monk asked: What happened next?

The old monk said: When I returned from Shaolin Temple on Song Mountain to the temple on the mountain, I personally delivered the public key with the fire seal to the little flower, but I never received any letters from her afterwards. It wasn't until a year later that I found out that the little flower did write me letters. At that time, the letters were indeed encrypted with the public key with the fire seal. After Zhang received the letters, because he didn't know my private key, he couldn't decrypt the password letters from the little flower, so he burned all the letters in anger. Also, because Zhang couldn't know the symmetric password of the little flower, he couldn't reply to her letters. After sending a few letters, the little flower's letters disappeared, and she became suspicious and asked around about my situation. Zhang became anxious. He used the public key I published and sent me a letter in the tone of the little flower. When I received the letter, I felt strange. Why did the letter smell like lard? And at the end, it even asked about my private key with concern. I knew it was a trick, so I thought of a way to find out if the letter was really written by the little flower. Later, I even came up with a solution...

The old monk touched his bald head and said: I didn't lose my hair in vain. I asked the pilgrims to pass a message to the little flower, telling her that I was fine and hoping that she would have her own happiness, no, her own pair of asymmetric keys. After the little flower entrusted the Little Town Beauty Association to put a fire seal on her public key, she asked the pilgrims to bring it to me. So every time the little flower writes a letter to me, she will stick a small peony on the password paper, and write a message encrypted with her own private key on the peony. In this way, when I receive a letter claiming to be from the little flower, I will first take out the password paper, remove the peony, and use the little flower's public key to decrypt this message. If I can't decrypt it, I will directly throw away the entire letter along with the password paper, because this letter must not be written by the little flower. If I can decrypt it, then I can be sure that the letter is from the little flower, and I will carefully decode and read it.

The young monk said: No wonder I heard that Zhang the butcher was driven to death. Your love letters are so complicated that it gives me a headache. When I grow up, I will just shout loudly to the people down the mountain if I have something to say, so I don't have to go through all this trouble. But I do understand what the person upstairs said. The handshake phase of SSL is indeed about checking the fire seal, reading the peony, and decrypting the password paper. It is indeed quite troublesome. Once both parties know the symmetric password, the decoding and reading phase will be smooth and much easier.

Edited on April 28, 2014

All rights reserved to the author.

Source: How much more server resources does HTTPS use compared to HTTP? Answer by Mu Xudong

However, not all certificates issued by CA organizations are trustworthy, for example:

Violating multiple certificate authority requirements, Chrome completely cancels trust in China WoSign's SSL certificates

In September 2016, Mozilla exposed WoSign's forgery of certificate issuance dates and concealment of acquisitions, and announced the suspension of trust in certificates issued by the organization. Apple and Google followed suit. Recently, Google announced that after the release of a new version in September, its Chrome browser will cancel trust in all certificates issued by WoSign and its acquisition StartCom, regardless of whether they are new or old. Websites currently using these digital certificates are advised to consider replacing them.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.