Editor’s Note: open content do not need encryption? Not that the industry does not think so. In fact, Chromium security group started very early and comprehensively promote HTTPS, to give these public data encryption. Most of foreign sites have started using HTTPS, including Facebook, to the White House, which in addition to Baidu has not spread. Author of @ Luo Zhiyu juxtaposition of CTO,Opera Chromium security groups members of the Opera for ten years, he will talk about safety link (HTTPS) the story behind.
What is HTTPS?
If you even know what HTTPS is, you can take a look at this article.
Simply put, HTTP over HTTPS key. In this way, due to the transfer of data in the network is encrypted, when browsing the Web, but you can see what you are looking at a Web page, the third party does not know what you are doing.
Protection of private data is HTTPS have played the biggest role in the past more than 10 years.
If you log into your mailbox, or your online banking, using HTTPS, then the data on the Internet is no longer clear, so a third party cannot see your password and your email. This is why HTTPS over the past more than 10 years, are used in email, finance and other areas of special need privacy.
What’s up with HTTP?
A few years ago, one Norway colleague just back from meeting Google, I met him in the hallway above, see him a hangdog look, feel free to ask a question “How are you and Google will open.”
Norway colleague sighed: “Google guys NIMA are alive after 5 years.”
At that time I was young and foolish, still cannot understand the true meaning of these words until recently joined the Chromium security discussion groups, truly understand the momentum behind this sentence.
Chromium security discussion group which is full of these topics:
We want to immediately eliminate SHA-1! Because SHA-1 is too low. Although it is anticipated that in a few years may be cracked, we eliminated it.
SSL to HTTP cache may be subject to attacks, need to be changed!
TLS DH group size should be raised to at least 1024 bit, INRIA and Microsoft Research, John’s Hopkin University have shown that low intensity TLS DH group is not safe.
They prove is the 512 bit secure, 768 bit estimate might be university level resources to crack you up on a minimum 1024 bit, and not to live–
We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_ EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime.
(We followed this method can be cracked using a 512-bit primes TLS link encryption. Also shows the Logjam attack can be used to support 80% DHE_EXPORT TLS server being demoted. We estimate an academic team, with its knowledge of available resources, it is possible to break a 768-bit prime number, and the power of a country may break a 1024-bit prime number. ）
Well, Google’s brother is far away.
Has a daily “cross” of security group actually also not bad, recently Flash broke 0 day vulnerability of when actually Chromium security group two years Qian on warning had like Flash this NPAPI plug-in is has security problem of, description security group of students are also is is has foresight of, on NPAPI plug-in problem zhiqian I in Lei Feng network column articles inside mentioned had: Google browser ban Flash? Boy, you can’t be serious, right?
Neurotic to live like in the security group have recently issued a second quarter summary: TOC-Q2-2015
Today about a very interesting thing:
Security group of students said, we believe that the (full) to use HTTPS is the only way to guarantee security. Everybody turned to HTTPS:
We see migration to HTTPS as foundational to any security whatsoever, so we’re actively working to drive# MOARTLS across Google and the Internet at large.
Such a statement in the first quarter, they were already nagging once reported in the second quarter, and put it in.
In fact, if you look, you will find that many foreign Web sites have begun to do.
For example, in the browser, type http://www.Google.com and you’ll see:
Even the White House, will be:
Notice the Green HTTPS does not, because even if you did not write HTTPS, will automatically jump to the HTTPS to the destination Web site. Moschino iPhone 6 cases
Compare domestic sites, such as QQ.com, does not have this behavior:
I looked under, look Baidu should be regarded as a domestic force using https:
To be safe, turn to HTTPS?
What! What’s going on? Why do we suddenly have abandoned arms of fully operational HTTP HTTPS? And Google is promoted, it is recommended that each site, replaced by HTTPS!
You know, HTTP has been around for almost 20 years. Migrating from HTTP to HTTPS for most Web sites, is not a small decision:
Of higher hardware requirements than HTTP HTTPS, this means more overhead, more expensive means need to spend more money to buy servers. Cost of other schema above might just let alone.
Must be what happened?!
But a White House Web site should not be regarded as privacy, why should this need HTTPS to transmit it?
Reason is: HTTP in innocence born of this agreement, this years complete are a bunch of hackers to play people.
1, hackers have found HTTP data transmitted not only to be disclosed, will be very easy to inject data.
The birth of the World Wide Web never would have expected, a search for the purpose of networking, will eventually become a platform for anything. More and more businesses migrate from offline to online. Many companies are starting to sell online, selling content, services and advertising.
A gang of hackers who suddenly found that some things that are transmitted in clear text on the Internet, looking at doesn’t mean anything, but I can modify or add content. This is a bit like a mailman delivered postcards every day, although content on the postcard looks and no eggs. Suddenly one day, the postman, I can modify the contents of a postcard, such as add a sentence “immediately to the XX-account remittance 5000 Yuan” and so on.
Below is a typical screenshot:
Diagram the package sale of an operator is not in fact the original content of the page, but a page of data by operators when the server was forcibly injected data.
This situation, the industry called “flow hijacking”. Moschino iPhone 6 cover
As the White House website, they don’t want Obama over a network node in the Web page, being-for-cost of Osama bin Laden.
Then let it be HTTPS.
2, not only content is not encrypted HTTP, the Protocol itself (primitives, head of data) are not encrypted, so orders may also be modified
Hackers: the Protocol is not encrypted is right, you should not blame me fancy cracked.
In fact, the HTTP protocol has been hackers bizarre cracked out to be. Such as the legendary “Cache poisoning”
A series of fancy tricks to make your browser cache is never updated. What the! Server share price has been down over there? But you can’t see well because your cache not updated … …
3, if the information is not good enough, and give you a more vigorous: HTTP transmission of Web pages for system devices authorized is unified.
Imagine this scenario: a user to access a video chat website, a page needs to access your phone’s camera, then the browser will ask the user whether or not agreed to authorize the users chose to agree. But unexpectedly, the page at the time by a network node, hacker has injected a script (since it is transmitted into are the things that every minute). This time, the injected script in the browser view, already was part of the original page, automatically have access to the camera.
So, when you are in video chat with others just injected scripts can sneak you Britain to give way to a hacker’s server.
Consequences of course depends on the contents of the chat, but I’m eyeballing a wave Master Chen would surfaced …
Same thing could happen in your microphone, the current location information, or even cell phone photos, and so on. For example, Chen:
After trying to tinker, the major industry bigwigs have finally awakened, the current hardware and price, if HTTPS is not the problem, then fully turned to HTTPS is the only way out.
Believe that soon we will see more and more sites use HTTPS. Meanwhile, the webmaster, if you have come across the problem, HTTPS can be a good choice. As a user, if the option, try to choose the site that supports HTTPS.
Someone may ask, if you are using HTTPS, it would mean that you can’t do network monitor, it is not our word section of the great wall … …. (Well, when I have not written this paragraph)
PS:HTTP next version HTTP/2 have to bring their own encryption, but is promoting the agreement will take some time, so transmission encryption or HTTPS is a Web page.
Chromecast TV stick
Chromecast is integrated into WiFi hot spots, when by Android, iOS, Windows or applications on the Mac to connect to your home WiFi network, can easily through Youtube and other online video playback application. If application is compatible Chromecast, detects Chromecast are on the same WiFi automatically share button below. In actual use, Chromecast will output 1080P video, audio and video synchronization is also acceptable, but if you are using Chrome to synchronize Chromecast butt, on some audio delay.
View details of the voting >>