According to foreign media Softpedia news, mobile data startups Wandera recent survey, including Air Canada, AirAsia and three other major airlines worldwide, including more than a dozen air, rail, rental, ticketing Since there is no aspect of the large companies deploy mobile end HTTPS access, resulting in leakage of user information there is a huge risk! These companies often have deployed HTTPS service on its Web site, but the site access for mobile phones and mobile app offer its clients, without a corresponding use HTTPS service. This led them there is a huge risk of information leakage up to 500,000 daily users access the services provided.
online booking shocking information leakage risk, you dare book the tickets online? Em>
especially when the user uses unreliable public Internet access, such as coffee shops, shopping malls and free WIFI, via mobile browser or app client does not use HTTPS when accessing these services, there is a lot of be intercepted each risk species sensitive personal information, such as identity information, user names, passwords, and even credit card numbers. The risk of data loss when to start, how much data loss caused has not test. After the disclosure of the report, the company has taken the technical means to solve the security risks.
The survey focused on European countries, did not relate to China's domestic situation. However, it is understood HTTPS deployment of our domestic sites, mobile sites and client app, this risk also exists, even more serious.
On the other hand, according to the CNNIC survey data show that as of the first half of 2015, mobile payment, mobile online shopping, travel booking phone subscribers reached 276 million, 270 million and 168 million. Similarly, according to CNNIC data, more than 40% of people will use the Internet, public places and other places of WIFI access to the Internet.
On the whole, while the use of mobile clients to conduct online transactions, when using an insecure network access, if the access to the site and did not do the necessary security measures, there is great risk of leakage visitors sensitive personal information.
How can we avoid this risk? Do not book the tickets online yet?
In fact, to avoid the risk of such security solutions are there, that is the site to provide users with service providers should meet safety standards HTTPS service, rather than the old, insecure HTTP service. Thus, even if the environment in which the visitor is not very safe, still can greatly reduce the risk of the user.
HTTPS What is it?
HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer), is safe for the target building customer browser and server-side data transmission channel, is simply HTTP secure version. It was originally created by Netscape and built up in their browser.
HTTPS been able to do secure transmission of data through SSL / TLS protocol completed. Only the two sides to communicate with encryption and decryption of data, and the data in the middle of the channel when the transmission is encrypted. Or general use AES encryption algorithm such as RSA, and by current scientific analysis, is unlikely to enhance the computing power and by making the cryptographic algorithm has been properly configured easily cracked.
Therefore we said, HTTPS is safe.
Why are more and more websites choose HTTPS?
In recent years, large companies pay attention to the safety of the site are gradually accelerate the speed of deployment of HTTPS. Search engine giant Google, Taobao Lynx, Baidu etc. total station enabled HTTPS, believe in the future, there will be more and more sites to join the ranks of full outbound HTTPS in.
Why HTTPS so favored? The answer is self-evident, because of course HTTPS can bring more value to the site. These values mainly reflected in:
Ensure the safety of traffic, you can not get the real information is intercepted after tapping to avoid leakage of private data over a network possible. This is why all the financial, pay sites mandatory reasons must be HTTPS service.
High security sites tend to have a higher ranking in search engines the same type.
Browser trusted identity can strengthen trust ordinary users of the site.
Since HTTPS can bring great practical value to the site, we can predict that the growing demand for security by users and site administrators appreciated the trend of the future will completely replace HTTPS HTTP, became the site data communication mainstream way.
how to deploy HTTPS?
In simple terms, as a web service provider, you first need to buy to be recognized by the major browsers HTTPS certificate issued by the CA; then depending on your Web server, such as apache, nginx, different configurations, providing listens TCP / 443 port for HTTPS service; Finally, to test your HTTPS service is functional, performance is affected, whether the impact on the user experience and so on.
specific technical description, not one by one started here, depending on your IT infrastructure deployment. In general, for small sites, the deployment of the HTTPS service is relatively simple, but for large-scale, complex business sites, deploy HTTPS service is a daunting project. In addition, it was reported Ali cloud ready to launch for HTTPS service package distributed services can be your HTTP service seamlessly packaged as HTTPS services, and also provide services to accelerate (CDN), attack prevention (WAF) and traffic cleaning (DDoS / CC), and other functions.
deployed HTTPS service, you can finally rest assured?
When you finally deployed the HTTPS service, see the browser address bar is highlighted in green, is not feeling full achievement -- my mother no longer have to worry about my user information was stolen: D
HTTPS Green Flag em>
But wait a minute, in fact, you just connect with a short board, there is still a short board in flowing water yet.
Because HTTPS service for content delivery is encrypted, in theory, only the server and client in order to properly encrypt and decrypt data, so before you use cloud-based WAF (Web Application Firewall) may not support HTTPS and thus can not provide XSS, SQL injection attacks and other application-level protection for you.
security products typically not well supported HTTPS site protection. The main reasons are:
Current cloud or traditional protective security agents are generally used mode. That traffic will be introduced to the use of security products, by detecting analysis, abnormal attack, then take protective measures. However, due to HTTPS data encryption, and therefore can not be at the application layer protection products detailed analysis of the HTTP message contents, nature does not recognize the attack and legitimate traffic, and thus the threat of attack helpless.
As it relates to the establishment of the handshake encryption negotiate the connection, performance HTTPS HTTP usually need to consume several times. General protection products no ability to build large-scale protection cluster, and thus its inability to do HTTPS protection of large flow.
Well, you can also purchase hardware WAF firewall, but when DDoS / CC attacks and attack traffic, such as a flood, you can line the WAF and how long?
is not feeling depressed a plate and tilt to the other one? Since the deployment of the HTTPS, causing originally distributed WAF service protects against application level attacks but can not use it?
In addition, there may be a sad thing to make you feel as a flourishing traffic to your site, using CDN provides distributed access to support it simply is certain, however, currently support HTTPS CDN service providers still less.
how to do? Is the use of the HTTPS service is a mistake?
I'll tell you a complete solution --
The following are advertising time, and so the shield of anti-Ali products -- what turned out to be soft paper? !
Well, let's talk about the technical issues.
In essence, cloud support HTTPS protection products is feasible, but there needs to solve several problems:
How transparent analysis HTTPS traffic, and traffic characteristics for analysis and disposal?
How to avoid upgrading to HTTPS brings processing power to reduce, performance degradation issues?
In such cases, and so the shield of anti-Ali launched a special product support HTTPS application layer protection. The technical diagram is as follows:
Ali shield and so on technical principles em>
Users import the corresponding domain in the cloud shield of anti-console certificate and private key, configure the domain name information.
Clients with high anti-cloud shield for SSL handshake negotiation after negotiation, the use of certificates and public key to encrypt data in the cloud shield issued.
After high cloud shield anti decrypt data, security protection analysis, the legitimate traffic is transmitted to the server re-encrypted, while blocking out illegal attack traffic.
Server-side data decrypt the normal course of business.
Through the above manner, in the customer's business without any alteration of the circumstances, the cloud shield to help users realize the full link-end data encryption. At the same time, as a result of the data is decrypted, cloud shield with the ability to analyze data in the application layer, and therefore have the ability to forward traffic to the specified address, fine-grained security protection. Including but not limited to:
DDoS protection capability of up to 300G.
CC massive attack protection (cluster can support ten million QPS attack traffic cleaning).
Blocking protection Web application vulnerability attacks (including SQL injection, XSS, command injection, and other common Web attacks Trojans Shell form).
Provide a variety of application layer data report, including detailed reports not only safe, but also to cover the case of business data access.
Support for host deployed outside Ali cloud security.
Of course, if you have data privacy requirements are relatively high, it may be more concerned about the private key on the security on the cloud shield. In response to this concern, also has a corresponding private security solutions.
In addition, if you are feeling about their deployment HTTPS service difficult, and so shield Ali also has plans to launch an HTTP direct transfiguration HTTPS service, support HTTP users do not need to change their business premise becomes HTTPS upgrade in the near future.
For more information, you can poke a look at this link.