科技回声

13 条评论

A less common question we get, that a lot of web devs are interested in is 'How do I mitigate against MITM attacks'.- As a browser, by using a default OS and watching the root CA store. You can control the key stores on most devices except iOS pretty easily: <a href="https://certsimple.com/blog/control-the-ssl-cas-your-browser-trusts" rel="nofollow">https://certsimple.com/blog/control-the-ssl-cas-your-browser...</a>- As a server, setting up key pinning (<a href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning" rel="nofollow">https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning</a>) which throws up a browser warning if someone accesses your site with a new key.

评论 #10777051 未加载

daok超过 9 年前

Right from the beginning "EV cert". What is EV? When you write article and it's the first time you use acronym, please define it.

评论 #10775999 未加载

评论 #10775997 未加载

评论 #10776214 未加载

评论 #10775868 未加载

评论 #10776611 未加载

评论 #10776000 未加载

评论 #10776001 未加载

geofft超过 9 年前

A slightly stronger argument not to use 4096-bit certs is that just about every (intermediate) CA certificate out there is 2048-bit, and there's no security advantage to your cert being 4096-bit if it only has a 2048-bit signature. An attacker can just factor your CA's public key and not care how strong your own public key is.So it's not just that it slows down your site, it slows down your site without any additional security or other benefit.

评论 #10778024 未加载

sarciszewski超过 9 年前

Item number 1: SSL is obsolete, use TLS.Can we please, as a society, try to move forward with the correct acronym? Everyone who isn't wide-open-vulnerable is using TLS 1.0 or newer. (Personally, I like to run TLS 1.2 only, but my CloudFlare domains still speak 1.0 and I can't turn it off without paying money.)

评论 #10777554 未加载

评论 #10775471 未加载

评论 #10775787 未加载

评论 #10775799 未加载

评论 #10775537 未加载

jzd超过 9 年前

The general public couldn't care less about EV certs.Important reading: <a href="http://webmasters.stackexchange.com/a/9095" rel="nofollow">http://webmasters.stackexchange.com/a/9095</a>

评论 #10776486 未加载

TazeTSchnitzel超过 9 年前

Another thing: You should probably go TLS-only. Set up a 301 redirect from HTTP to HTTPS, and set the Strict-Transport-Security header on all HTTPS responses.It's very easy to do, and ensures all your users get maximal security. The future is encrypted.Today I did this for my blog: <a href="https://github.com/TazeTSchnitzel/blog/commit/792986d18d8583712fa3fe59d0ec047b21701d46" rel="nofollow">https://github.com/TazeTSchnitzel/blog/commit/792986d18d8583...</a>

评论 #10776043 未加载

theandrewbailey超过 9 年前

Re: Point 1You really only need two ciphers to get to most browsers/clients and good security and speed (replace RSA with ECDSA if needed):TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAExample: <a href="https://www.ssllabs.com/ssltest/analyze.html?d=theandrewbailey.com" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=theandrewbail...</a>It baffles me that Mozilla recommends 20 ciphers for their highest security level. I think high security should be more exclusive than that, and with forward secrecy only.Point 5:How I imported Let's Encrypt's certificates into a Java keystore:<pre><code> openssl pkcs12 -export -name yourdomain -in fullchain.pem -inkey privkey.pem -out pubchainpriv.p12 keytool -importkeystore -srcstoretype pkcs12 -srckeystore pubchainpriv.p12 -alias yourdomain -destkeystore /path/to/keystore.jks</code></pre>

paulschreiber超过 9 年前

I've compiled lots of resources for moving to HTTPS: <a href="https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit" rel="nofollow">https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AApl...</a>

Swannie超过 9 年前

A good start. If you want to improve it, please add information about how to consume HTTPS services in a secure way.Also potentially add an aside for self-signed/enterprise CA, as most web developers will encounter internal systems sooner or later. This makes the above (consuming services) more challenging :-)

angry-hacker超过 9 年前

My addition: if you use SNI cert, expect loads of problems. And I don't mean browser support.Bing wont crawl you, you have to email the support and maybe they manually whitelist you.A lot of RSS readers wont work, services like pocket, reddit submissions, mailchimp rss to email etc etc.It's crazy considering we want to move everything to https only.

评论 #10777661 未加载

评论 #10777720 未加载

james-skemp超过 9 年前

You might be slow from traffic, but just in case that's not the case, the linked article loads fine but the home page does not on a 2nd gen Nexus 7.I see the top navigation followed by a white page, no scrollbar.

评论 #10777533 未加载

gcb0超过 9 年前

beware of item 4. Android 2.3 is still prevalent in some markets

评论 #10776404 未加载

leni536超过 9 年前

What should I know about cert revocation and client support for it?

13 条评论

mikemaccana超过 9 年前

评论 #10777051 未加载

daok超过 9 年前

Right from the beginning "EV cert". What is EV? When you write article and it's the first time you use acronym, please define it.

评论 #10775999 未加载

评论 #10775997 未加载

评论 #10776214 未加载

评论 #10775868 未加载

评论 #10776611 未加载

评论 #10776000 未加载

评论 #10776001 未加载

geofft超过 9 年前

评论 #10778024 未加载

sarciszewski超过 9 年前

评论 #10777554 未加载

评论 #10775471 未加载

评论 #10775787 未加载

评论 #10775799 未加载

评论 #10775537 未加载

jzd超过 9 年前

The general public couldn't care less about EV certs.Important reading: <a href="http://webmasters.stackexchange.com/a/9095" rel="nofollow">http://webmasters.stackexchange.com/a/9095</a>

评论 #10776486 未加载

TazeTSchnitzel超过 9 年前

评论 #10776043 未加载

theandrewbailey超过 9 年前

paulschreiber超过 9 年前

Swannie超过 9 年前

angry-hacker超过 9 年前

评论 #10777661 未加载

评论 #10777720 未加载

james-skemp超过 9 年前

评论 #10777533 未加载

gcb0超过 9 年前

beware of item 4. Android 2.3 is still prevalent in some markets

评论 #10776404 未加载

leni536超过 9 年前

What should I know about cert revocation and client support for it?

What web developers should know about SSL

13 条评论

What web developers should know about SSL

13 条评论