With the strengthening of information security management in China, as a place involving various data information in people's lives, the importance of website security is self-evident. While many enterprises, units or individuals' websites are still in an "unsafe" state, the following is a very simple way to help companies check whether the websites have security flaws in information transmission.
The first step is to open the browser from the computer (IE, Firefox, Google, 360, etc.). Enter the domain name or IP address of the company website in the browser (some businesses are accessed directly through the IP address) until the website page is displayed normally.
Step 2: Observe the status of the browser address bar. Different browsers display different web addresses in the address bar.
If the website starts with "https" (usually with a lock sign) and there is no abnormal prompt, congratulations. Your website has a security certificate that can ensure that the website data is encrypted in https mode during data transmission.
If any of the following conditions occurs:
1. "Unsafe" appears in the browser address bar;
2. The small lock flag is marked as unavailable by red cross (×), slash (), etc;
3. "Https" is marked by red strikethrough;
4. The website has only "http". After adding "s" manually to "https", the website cannot be opened.
This indicates that the website needs immediate rectification.
Click on the safety warning, and you will usually see a similar prompt:
Cause analysis:
The main reason why the browser warns or marks the website as "unsafe" is that no SSL security certificate has been deployed to the website after the website goes online. The SSL security certificate is a digital certificate that helps the website realize https encrypted transmission.
A simple explanation is that if the website provides users with access in the form of "https", all data interactions between users and the website, including the account number, password, bank card and other information registered on the website, are encrypted before transmission, The user's data will not be disclosed, monitored or tampered when interacting from the client computer and the website server.
If there is no https, only the traditional http, all data will be transmitted in clear text. These plaintext transmission data can be easily cracked, and it is extremely scary to think carefully.
Therefore, in order to urge the website operator to improve the security policy of the website as soon as possible, and to warn users of the security risks of the website, the browser has marked the website without https as "unsafe".
In fact, deploying SSL security certificates to the website and realizing https encryption of the website is not only to eliminate browser unfriendly warnings to the website, but also has more significance:
1. Protect the data security of websites and users, and fulfill website security obligations.
It is the duty of website operators to establish standard https links for websites and ensure the security and integrity of user data transmission.
2. Improve the company image and user trust.
Compliant https can eliminate unfriendly risk warnings such as "unsafe" browsers, and replace them with a small lock symbol that symbolizes security, improving the website image and user trust in the website.
3. Display the real identity of the website to help users identify the real website.
For the organization authentication type SSL certificate, users can click the small lock mark in the browser address bar to check the identity of the website sponsor, to help them identify whether the current website is the target website they want to visit, so as to effectively identify fake and fraudulent websites.
4. The secure and compliant https link opens up key links for the cooperation between the website and other platforms.
Large Internet platforms require cooperative websites to install SSL certificates to realize https secure links. SSL certificate is a part of PCI compliance, and it is also a condition required by partners for WeChat applet, iOS download, dithering and other platforms (relevant official instructions can be searched by themselves).
5. Respond to the requirements of relevant policies on website security, and make the website security measures more perfect and compliant.
(1) The Basic Requirements for Classified Protection of Information Security Technology Network Security (i.e. "Classified Protection Technology of Network Security 2.0", referred to as "Equal Protection 2.0") clearly points out that verification technology or cryptographic technology should be used to ensure the completeness and confidentiality of important data during transmission, create a secure communication transmission channel, and thus protect personal information security.
(2) The Notice on Strengthening the Security Management of Party and Government Organs' Websites issued by the Central Leading Group Office for Cybersecurity and Informatization on May 9, 2014 clearly pointed out that it is necessary to strengthen the construction of the technical protection system of party and government organs' websites, "From the perspective of business needs, establish a website security protection system with anti tampering of web pages, anti hijacking of domain names, anti attack of websites, and password technology, identity authentication, access control, security audit as the main measures. We will effectively implement the requirements of the information security hierarchy protection system, do a good job in the classification, filing, construction, rectification and management of party and government websites, strengthen the security management of mobile applications of party and government websites, and improve the website's ability to prevent tampering, viruses, attacks, paralysis, and leakage of secrets. "
(3) The Notice of the General Office of the State Council on Printing and Distributing the Guidelines for the Development of Government Websites (GBF [2017] No. 47) also emphasizes the security strategy of websites.
6. Meet the optimization suggestions of Baidu, Google and other search engines on the website, so that the website can get a better ranking.
In May 2015, Baidu released the Announcement on Baidu's Opening and Including https Sites, saying that from the perspective of relevance, Baidu's search engine believes that sites with the same weight value are more secure pages using the https protocol and will be given priority in ranking.
The relevant person in charge of Google's search engine has also publicly said that https sites can gain better ranking weight.
So, how to implement https for websites?
Step 1: Apply for website security digital certificate.
Log in to Wotong Digital Certificate Store // buy.wosign.com You can apply by yourself or contact customer service to select the appropriate version of website security certificate for you. Whether you are a domain name or multiple domain names, or the website is directly accessed by an IP address, it is adaptive SSL Security Certificate Type.
Step 2: Deploy the website security certificate.
Wotong CA provides deployment documents and engineer support to help you quickly complete the https transformation of the website.
