About https certificates
https protocol needs to go to CA to apply for a certificate, generally there are very few free certificates, and you need to pay a fee.
HTTP is a hypertext transmission protocol, information is transmitted in plaintext, and HTTPS is a secure SSL encryption transmission protocol.
http and https use completely different connection methods and different ports, the former is 80, and the latter is 443.
http connections are simple and stateless; HTTPS protocol is a network protocol built on SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is more secure than HTTP protocol.
At present, most websites are forgetting to go to https, and Chrome also uses https as the default connection of the browser, if the website does not use https, it will appear! logo.
Apple has announced a deadline by January 1, 2017 that all apps in the App Store must have App Transport Security enabled. App Transport Security (ATS) is a privacy-preserving feature introduced by Apple in iOS 9 that blocks the loading of plaintext HTTP resources and requires connections to go through more secure HTTPS. Apple currently allows developers to temporarily turn off ATS and can continue to use HTTP connections, but by the end of the year, all apps in the official store will have to make ATS mandatory.
Therefore, the implementation of https is the trend of the entire Internet industry.
certificates
At present, the mainstream SSL certificates are mainly divided into DV SSL, OV SSL, and EV SSL.
DV SSL
DV SSL certificate is a simple (Class 1) SSL certificate that only verifies the ownership of the website domain name, which can be issued quickly in 10 minutes.It can act as an encrypted transmission, but it cannot prove the true identity of the website to the user。
At present, the free certificates on the market are of this type, which only provides data encryption, but does not verify the identity of the individuals and institutions providing the certificates.
OV SSL
OV SSL, which provides encryption function,Applicants are strictly verified and credible identity certificates are provided。
The difference from DV SSL is that OV SSL provides auditing of individuals or institutions, which can confirm the identity of the other party and is more secure.
So this part of the certificate application is charged~
EV SSL
ChaoAn = EV = the most secure and strictest Chaoan EV SSL certificate follows the strict authentication standards unified globally and isThe industry's highest level of security (Class 4) SSL certificate。
Financial securities, banks, third-party payments, online malls, etc., focusing on website security and corporate credible image of websites, involving transaction payment, customer privacy information and account password transmission.
This part has the highest verification requirements and the most expensive application fee.
Common issuing bodies
Symantec is a leading provider of SSL/TLS certificates
China Financial Accreditation Center (CFCA) globally trusts SSL certificates
GeoTrust is the second largest digital certificate authority in the world
What's wrong with the WoSign certificate?
Mozilla has released a 13-page investigation into WoSign CA's misconduct, formally proposing to stop trusting new certificates issued by WoSign and StartCom for a minimum period of one year, after which Mozilla can accept them again if WoSign and StartCom meet the conditions.
The investigation reported that some of the problems with WoTong CA were not serious or not its fault, but there were still some extremely serious problems, the most serious of which from a trust perspective was deliberately backfilling the certificate date to bypass browser restrictions on SHA-1 certificates. Since SHA-1 signing certificates are no longer secure, major browser developers require all CAs to stop issuing SHA-1 certificates after January 1, 2016, however Wotong CAs still issue SHA-1 certificates after January 1, 2016, by deliberately backdating these certificates to disguise them as if they were issued before 2016. Another problem is that WoSign acquired StartCom, even if there is sufficient evidence that WoSign CA has acquired StartCom CA 100%, the company's CEO Wang Gaohua still refuses to admit it, and it was not until the end that WoSign's parent company, Qihoo 360, appeared to admit it, but Wang Gaohua insisted that StartCom operated independently and its original system had not changed, but there was sufficient technical evidence to prove that StartCom was acquired a month and a half later. It started using WoSign's infrastructure to issue certificates. StartCom's website, http://StartSSL.com, shut down the upgrade system on December 18, 2015, and switched to WoSign's system when it reopened on December 22.
So let's not use WoSign for the time being.
Alibaba Cloud's Cloud Shield certificate service has also removed WoSign's services.
|
Posted on 8/14/2017 7:43:05 PM
|
|
|
Posted on 8/15/2017 6:36:52 AM
|
Posted on 8/15/2017 9:49:22 AM