Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Running into the site-wide HTTPS     - Ubuntu user use PPA to install Uget 2.0.5 (Linux)

- shell script: the number of characters in the text to print no more than 6 words (Programming)

- MySQL completely uninstall and install Configuring Character Sets under Linux (Database)

- Nine trick to let you speed up the old machine running Ubuntu Linux (Linux)

- Grub2 Boots the openSUSE installation image (Linux)

- MySQL database to open a remote connection method (Database)

- Oracle 12c R2 new feature dbca command to create a standby database (Database)

- The mv command to move the directory two cases under Linux (Linux)

- Vim useful plugin: YouCompleteMe (Linux)

- Talk about the Linux ABI compatibility Application (Linux)

- RHEL 7.1 compile and install Ganglia 3.7.1 (Server)

- DRBD + Heartbeat solve NFS single point of failure (Server)

- Cross server / client backup command: rsync use (Server)

- Python when automated operation and maintenance often used method (Programming)

- Linux argument references and command substitution (Linux)

- Github inventory objects Algorithm (Linux)

- Iptables principle (Linux)

- PLSQL often lose resolution process automatically disconnect the connection (Database)

- Forwarding module with Apache reverse proxy server (Server)

- MySQL Tutorial: Philosophical Reflections on the unauthenticated user (Database)

  Running into the site-wide HTTPS
  Add Date : 2017-01-08      
  With the continued deterioration of the domestic network environment, a variety of tampering and hijacking another, more and more sites selected total station HTTPS. Just the other day, it offers free Certificate Services Let's Encrypt project also officially open test, HTTPS WEB will soon become mandatory. HTTPS by TLS layer and certificate mechanisms provide content encryption, authentication, and data integrity of the three functions, can effectively prevent data from being viewed or tampered with, and the prevention of middlemen posing. Enable HTTPS article to share some experience in the process, with a focus on how the new safety regulations for use. As for the deployment and optimization of HTTPS, and wrote a lot before, this article does not repeat.

Understand Mixed Content

HTTP resources HTTPS page load is called mixed content (Mixed Content), different browsers have different mixed content handling rules.

Early IE

Early IE found mixed content request will pop up a modal dialog box, if the user selects "Yes", all mixed content resources are not loaded? "If only to view web content that was delivered securely?"; Select "No "All the resources are loaded.

Relatively new IE

Relatively new IE modal dialog box to the bottom of the page tooltip, not before that interfere with the user. And the default image will load class mix, any other JavaScript, CSS and other resources, such as the user will still decide whether to choose according to load.

Modern browsers

Modern browsers (Chrome, Firefox, Safari, Microsoft Edge), basically in compliance with the W3C specification of mixed content Mixed Content, mixed content is divided into two categories Optionally-blockable and Blockable?:

Optionally-blockable mixed class contains those less dangerous, even if they are tampered middleman no serious problem of resources. Modern default browser will load these resources, and it will print a warning message on the console. Such resources include:

Through the < img> tag to load the image (including SVG picture);
By < video> / < audio> and < source> tag to load a video or audio;
Pre-reading (Prefetched) resources;
In addition to all of the contents are mixed Blockable, browser must load the prohibition of such resources. So modern browsers for HTTPS page in JavaScript, CSS, HTTP and other resources, are not loaded, error messages are printed directly on the console.

Mobile Browser

I said earlier acts are a desktop browser, mobile terminal situation is more complicated, most of the current mobile browsers default to allow loading of all mixed content. In other words, for mobile browsers, HTTPS, HTTP resources, whether it is an image or JavaScript, CSS, the default will be loaded.

NOTE: The above conclusion from this test to me half a year ago, this paper reviews the current situation ayanamist student feedback has been changed. I did some tests, and indeed with the upgrade of the operating system, mobile browsers are beginning to follow the mixed content specification. The latest tests show that for Blockable class of mixed content:

Safari iOS 9 below, as well as Android 5 below Webview, the default will be loaded;
Android versions of Chrome, iOS 9+'s Safari, Android 5+ the Webview, default does not load;
Generally choose the whole station HTTPS, we must avoid mixed content, all the page resource requests are taking the HTTPS protocol to ensure all platforms and all browsers have no problem.

Rational use of CSP

CSP, stands for Content Security Policy, it has a lot of instructions used to implement a variety of security and page content related features. Here only two and HTTPS-related instruction, I can see more content written before "Content Security Policy Level 2 Introduction."


As mentioned above, for HTTPS pictures, etc. Optionally-blockable HTTP resource class, modern browsers by default will load. Image Resources in was hijacked, usually do not have much of a problem, but there are some risks, such as a lot of web buttons with pictures implemented middleman to get rid of these pictures, it will interfere with the user.

Through the CSP block-all-mixed-content instruction, allows the page to enter the rigorous testing of mixed content (Strict Mixed Content Checking) mode. In this mode, all non-HTTPS resources are not allowed to load. As with all other CSP rules, you can enable this directive in two ways:

HTTP response header ways:

Content-Security-Policy: block-all-mixed-content
< Meta> tag method:

< Metahttp-equiv = "Content-Security-Policy" content = "block-all-mixed-content">

The historic Grand stand to HTTPS migration process, the workload is often very great, especially all resources are replaced HTTPS this step, it is prone to omissions. Even if all the code have confirmed there is no problem, it is likely there are HTTP links certain fields read from the database.

Through this upgrade-insecure-requests CSP directive allows the browser to help do this conversion. Enabling this policy, there are two changes:

All HTTP resource page will be replaced with HTTPS address and then initiated the request;
All outbound links within a page, when clicked, will be replaced with HTTPS address and then jump;
As with all other CSP rules, this directive, there are two ways to enable specific format please refer to the previous section. Note that the upgrade-insecure-requests to replace only part of the agreement, it is only available in exactly the same HTTP / HTTPS domain and path scene.

Rational use HSTS

After all stations HTTPS site, if the user manually typing the site's HTTP address or from elsewhere clicked HTTP link to the site, depending on the service side 301/302 Jump to use HTTPS service. The first HTTP request is likely to be hijacked, resulting in a request can not reach the server, thereby constituting HTTPS downgrade hijacking.

Basic use HSTS

This problem can be solved by HSTS (HTTP Strict Transport Security, RFC6797). HSTS is a response header in the following format:

Strict-Transport-Security: max-age = expireTime [; includeSubDomains] [; preload]
max-age, in seconds, used to tell the browser within the specified time, the site must be accessible via HTTPS protocol. That is the HTTP address for the site, the browser needs to be replaced after the HTTPS resending request locally.
includeSubDomains, optional parameters, if you specify this parameter, indicating that this site all sub-domains must also be accessible via HTTPS protocol.
preload, re-introduce its role optional parameters, later.
HSTS This response can only be used for HTTPS response headers; the site must use the default port 443; you must use the domain name can not be IP. And after enabling HSTS, once the site certificate error, the user can not choose to ignore.

HSTS Preload List

You can see HSTS can solve HTTPS downgrade attacks, but for the first HTTP request before HSTS into effect, still can not avoid being hijacked. Browser vendors to solve this problem, HSTS Preload List program: a built-in list, for the domain name in the list, even if the user has not visited before, will use the HTTPS protocol; the list can be updated periodically.

Currently the Preload List maintained by Google Chrome, Chrome, Firefox, Safari, IE 11 and Microsoft Edge are in use. If you want to put your own domain name added to this list, you first need to meet the following criteria:

Have a valid certificate (if you use SHA-1 certificate, the expiration date must be earlier than 2016);
All HTTP traffic will be redirected to HTTPS;
To ensure that all sub-domains have enabled HTTPS;
Output HSTS response header:
max-age is not less than 18 weeks (10,886,400 seconds);
IncludeSubdomains parameters must be specified;
You must specify the preload parameters;
Even if all of the above conditions are satisfied, may not be able to enter HSTS Preload List, more information can be found here. By Chrome's chrome: // net-internals / # hsts tool, you can check if a website is among the Preload List, a domain name can also be manually added to the native Preload List.

For HSTS and HSTS Preload List, my suggestion is that if you can not always make sure to provide HTTPS service, do not enable. Because once HSTS take effect, and then you want the site to redirect users to the old HTTP, will be infinite redirects before, the only way is to get a new domain name.

CDN safety

For major stations, the whole station after migrating to HTTPS or starting a CDN, but you must choose to support HTTPS in the CDN. If you use a third-party CDN, security needs to consider some places.

Rational use of SRI

HTTPS can prevent data from being tampered with in transit, legal certificates to authenticate the server can also play a role, but if the CDN server is compromised, resulting in static files on the server has been tampered with, HTTPS can not do anything.

W3C's SRI (Subresource Integrity) specification can be used to solve this problem. SRI through specified resource when resource summary page reference signatures to achieve make the browser to verify that the resource has been tampered purposes. As long as the page is not tampered with, SRI strategy is reliable.

See more instructions about SRI before I wrote "Subresource Integrity presentation." SRI is not HTTPS-specific, but if the home page was hijacked, the attacker can easily remove the resource summary, and thus lose the browser SRI verification mechanism.

Learn Keyless SSL

Another problem is that, when you use a third-party CDN's HTTPS service, if you want to use your own domain name, the certificate private key corresponding to a third party, this is a very risky thing.

CloudFlare company for this scenario developed Keyless SSL technology. You can not put the certificate private key to a third party to provide a Key Server can be calculated in real time. CDN when to use private, encrypted channel through the necessary parameters to the Key Server, from the Key Server computes the results and return to. Throughout the process, are kept private among his Key Server, will not be exposed to third parties.

This mechanism CloudFlare is already open. For more information, you can check their official blog this article: Keyless SSL: The Nitty Gritty Technical Details.

Well, the article first wrote here, should be noted that this article mentioned CSP, HSTS SRI and other strategies are only the latest browser to support detailed support can go CanIUse investigation. After switching to HTTPS, performance optimization in a lot of new work to be done, this part I wrote a lot in the previous blog, and are not repeated here, but said the most important point:

Since they HTTPS, and quickly on the HTTP / 2 is the right way.
- To install MySQL on Linux (Database)
- MySQL time field based partitioning scheme summary (Database)
- OpenWRT environment to build (Linux)
- AngularJS (Programming)
- Configuring Proxy on a Unix terminal, accelerate Android Studio Construction (Linux)
- How to manage KVM virtual environments with command-line tools in Linux (Server)
- To assign multiple IP addresses NIC on the CentOS 7 (Linux)
- sudoers file parsing (Linux)
- Embedded Linux to solve the problem in the time zone (Linux)
- Android Studio commonly used shortcuts and how to follow the Eclipse Shortcuts (Linux)
- Batch kill processes using awk command (Linux)
- How to install Docker and basic usage on Ubuntu 15.04 (Server)
- Ubuntu 12.04 64-bit installation Redmine + Git + ReviewBoard (Linux)
- Python2.7.7 source code analysis (Programming)
- Start Linux ISO image directly from the hard disk (Linux)
- Export error: ORA-04063: package body dmsys dbms dm model exp has error (Database)
- Linux / UNIX: Use the dd command to create a 1GB size binary (Linux)
- Linux Tutorial: Open multiple tabs in the GNOME terminal in Ubuntu 15.04 (Linux)
- Install Ubuntu open source drawing program MyPaint 1.2.0 (Linux)
- BCP importing and exporting large amounts of data Practice (Database)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.