Web网站SSL/TLS协议配置安全研究  被引量：5

作　　者：胡仁林 张立武[2] HU Ren-Lin ZHANG Li-Wu(University of Chinese Academy of Sciences, Beijing 100049, China Institute of Software, Chinese Academy of Sciences, Beijing 100190, China)

机构地区：[1]中国科学院大学,北京100049 [2]中国科学院软件研究所,北京100190

出　　处：《计算机系统应用》2017年第10期124-132,共9页Computer Systems & Applications

基　　金：国家自然科学基金(61472409;61303247);国家重点基础研究计划(973计划)(2013CB338003)

摘　　要：SSL/TLS协议是目前通信安全和身份认证方面应用最为广泛的安全协议之一,对于保障信息系统的安全有着十分重要的作用.然而,由于SSL/TLS协议的复杂性,使得Web网站在实现和部署SSL/TLS协议时,很容易出现代码实现漏洞、部署配置缺陷和证书密钥管理问题等安全缺陷.这类安全问题在Web网站中经常发生,也造成了许多安全事件,影响了大批网站.因此,本文首先针对Web网站中安全检测与分析存在工具匮乏、检测内容单一、欠缺详细分析与建议等问题,设计并实现了Web网站SSL/TLS协议部署配置安全漏洞扫描分析系统,本系统主要从SSL/TLS协议基础配置、密码套件支持以及主流攻击测试三方面进行扫描分析;之后使用该检测系统对Alexa排名前100万网站进行扫描,并做了详细的统计与分析,发现了不安全密码套件3DES普遍被支持、关键扩展OCSP Stapling支持率不足25%、仍然有不少网站存在Heart Bleed攻击等严重问题;最后,针对扫描结果中出现的主要问题给出了相应的解决方案或建议.The SSL/TLS protocol is one of the most widely used security protocols in communication security and identity authentication. It plays a very important role in ensuring the security of information system. However, due to the complexity of the SSL/TLS protocol, web sites are prone to security vulnerabilities such as code implementation vulnerabilities, deployment configuration defects and certificate key management problems when implementing and deploying SSL/TLS protocols. This type of security problems often occurs in Web sites, which also causes a lot of network security events, affecting a large number of sites. However, the existing methods to analyze and detect web security cannot satisfy the need. First, there are very few tools in this field, and their targets tend to focus on some certain aspects. In addition, these problems need to be further explored to acquire more detailed analysis and recommendations.In this paper, we design and implement a detection system to test the SSL/TLS protocol deployment of web site based on SSL/TLS. Our system performs vulnerability scanning and analysis mainly from three aspects： protocol basic configuration, cipher suites support, and typical attack test. We use it to scan the top 1 million websites of Alexa, and give detailed statistics and analysis. We found that the unsafe cipher suite 3DES is generally supported and the critical expansion OCSP Stapling support rate is less than 25%. What＇s more serious is that there are still many sites suffering from Heart Bleed attacks and many other serious problems. Finally, the corresponding solutions or suggestions are given for the main problems in the scanning results.

关 键 词：WEB网站 SSL/TLS协议 安全漏洞扫描 基础配置 密码套件 

分 类 号：TP393.092[自动化与计算机技术—计算机应用技术]