With the continued deterioration of the domestic network environment, a variety of tampering and hijacking another, more and more sites selected total station HTTPS. Just the other day, it offers free Certificate Services Let's Encrypt project also officially open test, HTTPS WEB will soon become mandatory. HTTPS by TLS layer and certificate mechanisms provide content encryption, authentication, and data integrity of the three functions, can effectively prevent data from being viewed or tampered with, and the prevention of middlemen posing. Enable HTTPS article to share some experience in the process, with a focus on how the new safety regulations for use. As for the deployment and optimization of HTTPS, and wrote a lot before, this article does not repeat.
Understand Mixed Content
HTTP resources HTTPS page load is called mixed content (Mixed Content), different browsers have different mixed content handling rules.
Early IE found mixed content request will pop up a modal dialog box, if the user selects "Yes", all mixed content resources are not loaded? "If only to view web content that was delivered securely?"; Select "No "All the resources are loaded.
Relatively new IE
Modern browsers (Chrome, Firefox, Safari, Microsoft Edge), basically in compliance with the W3C specification of mixed content Mixed Content, mixed content is divided into two categories Optionally-blockable and Blockable?:
Optionally-blockable mixed class contains those less dangerous, even if they are tampered middleman no serious problem of resources. Modern default browser will load these resources, and it will print a warning message on the console. Such resources include:
Through the < img> tag to load the image (including SVG picture);
By < video> / < audio> and < source> tag to load a video or audio;
Pre-reading (Prefetched) resources;
NOTE: The above conclusion from this test to me half a year ago, this paper reviews the current situation ayanamist student feedback has been changed. I did some tests, and indeed with the upgrade of the operating system, mobile browsers are beginning to follow the mixed content specification. The latest tests show that for Blockable class of mixed content:
Safari iOS 9 below, as well as Android 5 below Webview, the default will be loaded;
Android versions of Chrome, iOS 9+'s Safari, Android 5+ the Webview, default does not load;
Generally choose the whole station HTTPS, we must avoid mixed content, all the page resource requests are taking the HTTPS protocol to ensure all platforms and all browsers have no problem.
Rational use of CSP
CSP, stands for Content Security Policy, it has a lot of instructions used to implement a variety of security and page content related features. Here only two and HTTPS-related instruction, I can see more content written before "Content Security Policy Level 2 Introduction."
As mentioned above, for HTTPS pictures, etc. Optionally-blockable HTTP resource class, modern browsers by default will load. Image Resources in was hijacked, usually do not have much of a problem, but there are some risks, such as a lot of web buttons with pictures implemented middleman to get rid of these pictures, it will interfere with the user.
Through the CSP block-all-mixed-content instruction, allows the page to enter the rigorous testing of mixed content (Strict Mixed Content Checking) mode. In this mode, all non-HTTPS resources are not allowed to load. As with all other CSP rules, you can enable this directive in two ways:
HTTP response header ways:
< Meta> tag method:
< Metahttp-equiv = "Content-Security-Policy" content = "block-all-mixed-content">
The historic Grand stand to HTTPS migration process, the workload is often very great, especially all resources are replaced HTTPS this step, it is prone to omissions. Even if all the code have confirmed there is no problem, it is likely there are HTTP links certain fields read from the database.
Through this upgrade-insecure-requests CSP directive allows the browser to help do this conversion. Enabling this policy, there are two changes:
All HTTP resource page will be replaced with HTTPS address and then initiated the request;
All outbound links within a page, when clicked, will be replaced with HTTPS address and then jump;
As with all other CSP rules, this directive, there are two ways to enable specific format please refer to the previous section. Note that the upgrade-insecure-requests to replace only part of the agreement, it is only available in exactly the same HTTP / HTTPS domain and path scene.
Rational use HSTS
After all stations HTTPS site, if the user manually typing the site's HTTP address or from elsewhere clicked HTTP link to the site, depending on the service side 301/302 Jump to use HTTPS service. The first HTTP request is likely to be hijacked, resulting in a request can not reach the server, thereby constituting HTTPS downgrade hijacking.
Basic use HSTS
This problem can be solved by HSTS (HTTP Strict Transport Security, RFC6797). HSTS is a response header in the following format:
Strict-Transport-Security: max-age = expireTime [; includeSubDomains] [; preload]
max-age, in seconds, used to tell the browser within the specified time, the site must be accessible via HTTPS protocol. That is the HTTP address for the site, the browser needs to be replaced after the HTTPS resending request locally.
includeSubDomains, optional parameters, if you specify this parameter, indicating that this site all sub-domains must also be accessible via HTTPS protocol.
preload, re-introduce its role optional parameters, later.
HSTS This response can only be used for HTTPS response headers; the site must use the default port 443; you must use the domain name can not be IP. And after enabling HSTS, once the site certificate error, the user can not choose to ignore.
HSTS Preload List
You can see HSTS can solve HTTPS downgrade attacks, but for the first HTTP request before HSTS into effect, still can not avoid being hijacked. Browser vendors to solve this problem, HSTS Preload List program: a built-in list, for the domain name in the list, even if the user has not visited before, will use the HTTPS protocol; the list can be updated periodically.
Currently the Preload List maintained by Google Chrome, Chrome, Firefox, Safari, IE 11 and Microsoft Edge are in use. If you want to put your own domain name added to this list, you first need to meet the following criteria:
Have a valid certificate (if you use SHA-1 certificate, the expiration date must be earlier than 2016);
All HTTP traffic will be redirected to HTTPS;
To ensure that all sub-domains have enabled HTTPS;
Output HSTS response header:
max-age is not less than 18 weeks (10,886,400 seconds);
IncludeSubdomains parameters must be specified;
You must specify the preload parameters;
Even if all of the above conditions are satisfied, may not be able to enter HSTS Preload List, more information can be found here. By Chrome's chrome: // net-internals / # hsts tool, you can check if a website is among the Preload List, a domain name can also be manually added to the native Preload List.
For HSTS and HSTS Preload List, my suggestion is that if you can not always make sure to provide HTTPS service, do not enable. Because once HSTS take effect, and then you want the site to redirect users to the old HTTP, will be infinite redirects before, the only way is to get a new domain name.
For major stations, the whole station after migrating to HTTPS or starting a CDN, but you must choose to support HTTPS in the CDN. If you use a third-party CDN, security needs to consider some places.
Rational use of SRI
HTTPS can prevent data from being tampered with in transit, legal certificates to authenticate the server can also play a role, but if the CDN server is compromised, resulting in static files on the server has been tampered with, HTTPS can not do anything.
W3C's SRI (Subresource Integrity) specification can be used to solve this problem. SRI through specified resource when resource summary page reference signatures to achieve make the browser to verify that the resource has been tampered purposes. As long as the page is not tampered with, SRI strategy is reliable.
See more instructions about SRI before I wrote "Subresource Integrity presentation." SRI is not HTTPS-specific, but if the home page was hijacked, the attacker can easily remove the resource summary, and thus lose the browser SRI verification mechanism.
Learn Keyless SSL
Another problem is that, when you use a third-party CDN's HTTPS service, if you want to use your own domain name, the certificate private key corresponding to a third party, this is a very risky thing.
CloudFlare company for this scenario developed Keyless SSL technology. You can not put the certificate private key to a third party to provide a Key Server can be calculated in real time. CDN when to use private, encrypted channel through the necessary parameters to the Key Server, from the Key Server computes the results and return to. Throughout the process, are kept private among his Key Server, will not be exposed to third parties.
This mechanism CloudFlare is already open. For more information, you can check their official blog this article: Keyless SSL: The Nitty Gritty Technical Details.
Well, the article first wrote here, should be noted that this article mentioned CSP, HSTS SRI and other strategies are only the latest browser to support detailed support can go CanIUse investigation. After switching to HTTPS, performance optimization in a lot of new work to be done, this part I wrote a lot in the previous blog, and are not repeated here, but said the most important point:
Since they HTTPS, and quickly on the HTTP / 2 is the right way.