Three mistakes in website security: is grass carp website safe

1 year ago (2023-12-27) Chief Editor
8 minutes
two hundred and eighty-five
zero

Original Title: Three Misunderstandings of Website Security

Recently, I talked with the executives of many government websites and many business owners about the insecurity of their websites without deploying SSL certificates. It is generally believed that there is nothing to encrypt on the websites, and I can't understand why all browsers must warn "unsafe" websites that display some public information for users to browse, All agree that browser manufacturers or SSL certificate manufacturers are bluffing users to promote SSL certificates. Some executives even said that our website has passed the authoritative evaluation of XXX, and has passed the third level of waiting guarantee. Why is it unsafe? Why is it illegal?

From the perspective of users, it seems that what everyone said is very reasonable, but from the perspective of website security professionals, these views are wrong, but we can't blame users. This is because our science popularization work is not enough, so the author wrote this blog, hoping that executives and owners who really care about their website security can patiently read this article, There will be gains. Only when the website is secure, can we do our business well.

The first big mistake: the website does not have any content that needs to be encrypted and does not need to deploy SSL certificate encryption

At present, the government websites at the prefecture, city, county and district levels generally only show some local information release and local characteristics of the city, county and district. The e-government systems that really need users to log in and input confidential information have been put under the unified management of the provincial government service network, and the local government websites only need to link Go to the corresponding provincial government service system. Whether the provincial government service website has deployed SSL certificates to implement https encryption is beyond the jurisdiction of the city and counties. This is both the reality and the truth. From this perspective, it is not difficult to understand why everyone believes that https encryption is not required. However, from the professional perspective of website security, https encryption is still needed for three reasons.

Reason 1: Prevent web page tampering and illegal chain theft

It is true that the municipal, county and district government websites only have publicly disclosed information, and there is no login page requiring encrypted user names and passwords, but there are a large number of links to the provincial government service network. If the website does not have https encryption, attackers (including all Wi Fi providers) can easily tamper with the links on the webpage to lead users to a fake government service website, Therefore, it is very easy to obtain the user name and password in the provincial government service network. I believe that this is not the result that local government websites hope to see. These city/county/district government websites that do not use https encryption have become a danger to the security of provincial government service websites! This is why I have repeatedly called on the competent authorities of the provincial government service network to force the following urban and county official websites to implement https encryption.

Reason 2: Protect the user privacy of website visitors

I saw this reason from Google's official website more than ten years ago. When Google launched its search service, it said why the search page needs https encryption to protect users' privacy. If it is not encrypted, what keywords users search for will easily be illegally obtained. Maybe users are searching for a very private problem and need to find a solution, If the search website is not encrypted, then other people can know what he/she is searching for and which search results he/she has clicked. This exposes personal privacy, isn't it terrible?

Although the municipal, county and district government websites are all publicly browsable information, users who surf the Internet do not want irrelevant people to know what content they are browsing, which requires https encryption. Municipal, county and district government websites should be encrypted to protect the personal privacy of people's online behavior based on the principle of "people first", so that citizens of the city, county and district can browse the information of local government websites with confidence, and enhance the sense of security and happiness of the people.

Reason 3: Eliminate the "unsafe" warning of all browsers

All browsers prompt "insecure" websites that do not implement https encryption, not to promote SSL certificates, but because what I mentioned above is really insecure. If the above two reasons are not enough, then for the sake of "face saving" project, we should also solve the problem that the browser prompts that the website is unsafe. When users see the browser prompt that the website is "unsafe" when they surf the Internet, their first impression of the website must not be too good, and they must not dare to read more unless there is no way.

The only way to eliminate the browser's "unsafe" warning is to use https encryption to access the website. The website can implement https encryption by deploying SSL certificates or using cloud WAF protection. All browsers will display the encryption lock identification without prompting for insecurity. At present, there are free SSL certificates and very cheap paid SSL certificates in the market, which can solve the problem. If you do not want to move the website, and do not want to bother to apply for SSL certificates and deploy SSL certificates, you can choose to purchase website security cloud services. You need to do three domain name resolutions, and turn the original website into the source station of WAF/CDN to automatically implement https encryption and cloud WAF protection.

The second big mistake: I am such a small enterprise website, there is no information worth attacking

This misunderstanding is the idea of many business owners. In the current environment, it is not easy for small and medium-sized enterprises to survive. Therefore, small and medium-sized enterprise owners will think that "my website has no information to steal, no encryption, no protection", "my small company website will not attract hackers' attention". Therefore, a large number of SME websites do not deploy SSL certificates. They are all http clear text access, and there are no other security measures.

In fact, if a website does not have any protection measures, hackers can use automated tools to find websites without any protection and automatically implant trojans, making your website a "meat chicken" and a "thug" to attack other systems, which is the main reason why small business websites are most vulnerable to various network attacks, For example, the website has been implanted with trojans, webpage tampering, SQL injection, database dragging and email fraud. According to the report released by the National Internet Emergency Center, 53171 websites in China will be implanted in the back door in 2020, including 256 government websites! These attacks will not only affect the normal access of websites, but also face the pressure of compliance with the Cyber Security Law, and may receive administrative penalties.

What should I do? Https encryption and cloud WAF protection are required. https encryption can prevent illegal code modification and illegal embedding of attack links during plaintext transmission, while cloud WAF protection can prevent their attacks in real time, effectively protecting the security of confidential information on websites and valuable user and business data of enterprises.

According to Gartner's 2021 report, by 2024, that is, two years later, 70% of organizations will implement cloud WAF protection for web applications, because website attacks have become the norm now, regardless of website size and whether the website has valuable data. In order to protect the valuable data of the enterprise and the normal and reliable operation of the website, it is recommended to use the website security cloud service to achieve https encryption and cloud WAF protection with one click, so that website owners can rest assured and concentrate on doing their own business without worrying about whether the website can operate normally.

The third mistake: only login pages need encryption, other pages do not need encryption

Why this question ranks third does not mean that it is not important. It is necessary to clarify why the website needs https encryption first. The user with this problem has implemented https encryption for the user's login page, but after the user authentication, the website has become a plain text http website, which is also common in many government websites, government service websites, university websites and e-commerce websites.

First of all, we need to acknowledge and praise that the user login authentication page uses https encryption, which can effectively ensure the encrypted transmission security of the user name and password entered by the user. However, the user authentication should be encrypted after logging in to the system, because the logged in system is the most important core data that needs to be protected, including the user's personal privacy information, their order information and receiving address, etc. These important data are core assets of the enterprise. How can we not encrypt and protect them? If the page containing these important data is not encrypted, hackers do not need to attack the user login authentication system. They can directly listen to the data packets after the user login. They can easily obtain important confidential data from government websites and corporate websites without any attack.

The following figure is the propaganda picture of the full site https encryption that the author used more than ten years ago. It is still applicable now, because many websites only implement https encryption on the login page. Full site https encryption can effectively prevent man in the middle attacks, important confidential data leakage and loss of important valuable customer resource information, which must be highly valued.

Finally, the author summarizes two important points:

All websites must implement https encryption, regardless of the size of the website and the nature of the main unit of the website.
To achieve https encryption, you don't have to change the server by yourself. You can choose cloud services, which can easily implement https encryption and cloud WAF protection with one click, and ensure website security in a variety of ways, while meeting the compliance requirements of the Password Law and the Network Security Law.

Go back to Sohu to see more

Editor in charge:

This article is written by: Chief Editor Published on Software Development of Little Turkey , please indicate the source for reprinting: //hongchengtech.cn/blog/3248.html
Kuke_WP editor
author

Related recommendations

1 year ago (2024-02-20)

How does the WeChat management system manage enterprise WeChat chat content, and chat records of enterprise WeChat administrator permissions

Original title: How does the WeChat management system manage enterprise WeChat chat content How does the enterprise WeChat chat content manage enterprise WeChat chat content? Most WeChat chat content viewers on the market are for private viewing, but viewing WeChat chat content in enterprises is also particularly important. Without the use of WeChat management system, many behaviors such as abusing customers, flying orders, and randomly promising customers are
six hundred and sixty-four
zero
1 year ago (2024-02-20)

Liaocheng Chiping District Sub branch of Agricultural Development Bank of China carried out the second online exercise of the new generation credit management system, and how to do a good job in credit work as a member of Agricultural Development Bank of China

Recently, Chiping District Sub branch of Agricultural Development Bank of China actively implemented the second phase online exercise of the new generation credit management system. In accordance with the requirements of the overall exercise plan issued by the superior bank, it carefully deployed, carefully organized, clearly defined the division of labor, strengthened the coordination and linkage between various departments, closely cooperated, and effectively performed various work responsibilities during the exercise. Chiping District Sub branch organized all staff of the Customer Department to participate in the online drill
four hundred and ninety-one
zero
1 year ago (2024-02-18)

Content marketing is hard to do? Zhiqu Baichuan teaches you how to easily build a content management system, and what needs to be done well in content marketing

Two days ago, we received an official email "to Baichuan to remove from the salesforce app store" - because the United States issued an administrative order on August 6, 2020, prohibiting "any WeChat related transactions", which came into effect 45 days after the administrative order was issued (that is, September 20). The "one-stop marketing cloud" provided by Zhiqu Baichuan includes
three hundred and forty-three
zero
1 year ago (2024-02-18)

Why Enterprise Content Management System?, Why did you choose Business Management

As paper has almost disappeared, your company's important documents and information need to be digitized, stored and used in a way that supports processes and workflows. Through the enterprise content management (ECM) system, you can better manage enterprise content and choose a more interactive way to process the information of the entire enterprise. Do you check the internal documents, invoices, training materials, contracts, finance
two hundred and eighty-nine
zero

comment

0 people have participated in the review

Scan code to add WeChat

contact us

WeChat: Kuzhuti
Online consultation: