HTTPS is not secure, the problem is on the low version of TLS

Source: Internet
Author: User
Tags website server http strict transport security

HTTPS encryption era has come, nearly two years, Google, Baidu, Facebook and other internet giants, coincides with the implementation of HTTPS, July 25, 2018, Chrome 68 on-line, all HTTP sites will be clearly marked as "unsafe." At home and abroad, including big to Google, Facebook and other giants, small to personal blog and many other sites, as well as the app to the Apple app Store, the small program has enabled the full-site HTTPS, which is the future trend of internet development.

HTTPS Continuous Optimization path

HTTPS (hypertext Transfer Protocol Secure) is a transport protocol designed to secure communications on a computer network. SSL layer is added under HTTP, which has the function of protecting the privacy and integrity of exchanging data and providing authentication to the website server, which simply means the security version of HTTP.

There are a lot of problems online, similar to "HTTPS more than HTTP how much server resources?" "Therefore, the encryption optimization of HTTPS is the direction of the cloud has been working, nearly two years we have launched a series of measures to improve HTTPS performance: including HSTS (HTTP Strict Transport security,http Strict transport security), HTTP/2 (including Ser Ver Push), TLS 1.3 and other functions, in the domestic CDN market has been in a leading position. Recently, we have introduced the minimum TLS version management feature once again.

Low version of TLS

The low version of TLS has a number of serious vulnerabilities that make the site vulnerable to attack, with the two vulnerabilities of Poodle and beast more than most people know. In addition, according to Nist (National Institute of Standards and Technology), there is no patch or fix to adequately fix the vulnerability of a low version of TLS, and it is best to upgrade to a higher version and disable the low version of TLS as soon as possible.

As encryption standards are upgraded, TLS 1/1.1 will be gradually disabled across the industry. is currently in the transition period of TLS 1.2 to replace TLS 1/1.1, 2018 will be more and more Internet security enterprises to enable TLS 1.2, see the following industry dynamics to know the status of the low version of TLS.

    • On February 1, 2018, GitHub disables TLSv1 and TLSv1.1.
    • Salesforce gradually disabled TLSv1 in March 2018.
    • The TLS version required by the applet must be greater than or equal to 1.2.
    • To comply with the payment Card Industry Data Security Standard (PCI DSS) and to comply with industry best practices, GlobalSign will disable TLS 1 and TLS 1.1 on June 21, 2018.

One of the PCI DSS's latest compliance standards came into effect on June 30, 2018, which requires disabling the low-version TLS protocol (for example: TLSV1), HTTPS configuration should implement a more secure encryption protocol (TLSv1.1 or later, it is highly recommended to use TLS v1.2) to meet PCI DSS requirements for the latest compliance standards to protect payment data.

The higher the protocol level you choose, the more secure it is, but the fewer browsers you can support, the more likely it will affect end-user access, and carefully select the configuration.

High version TLS VS low version TLS

This is a test of website security through the HTTPS Security level detection tool.

The minimum TLS version defaults to TLSV1

Minimum TLS version set to TLSv1.1

Where the TLSV1 version of the test results shows that the PCI DSS is noncompliant. This problem does not exist when the minimum TLS version management feature is turned on.

Turn on the minimum TLS version management feature

Log in and Pat the cloud console, create or select a CDN, cloud storage service, select "Configure", then select "https", find the "minimum TLS version" configuration item, click the "Manage" button to enter the configuration interface.

Customers can choose one of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 as the minimum TLS version according to the actual needs of their website, App and applet.

In order to meet certain test requirements, if you need to set the minimum TLS version to TLSv1.3, you need to turn on the TLS 1.3 feature (TLS 1.3 default relationship) in advance and need to be turned on manually. Access path: Console? Select or create a service? Configuration? HTTPS? TLS 1.3).

In the future, the cloud will continue to optimize HTTPS security encryption, will also continue to introduce new features to increase flexibility and security, for network security and progress to do a power.

Recommended reading:

PST TLS 1.3-new features and opening methods

HTTPS is not secure, the problem is on the low version of TLS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.