Sites that handle sensitive or personally identifiable information should already be using the secure communications protocolHTTPS to deliver their webpages so data exchanged between their servers and users is encrypted usingSSL/TLS. However, website administrators are being encouraged to deploy Web server digital certificates and active HTTPS on all their sites and pages -- even if they don't transmit sensitive information -- as the authentication and encryption they provide prevents any third party from seeing, recording or tampering with the content of a user's session. For example, Google gives sites that use a 2048-bit key certificate a minor ranking boost, while the White House Office of Management and Budget has published a new standard -- "The HTTPS-Only Standard" -- recommending HTTPS on all federal websites and Web services.
There are various reasons why HTTPS isn't universally used on the Internet, but primarily it's the cost of certificate acquisition, installation, configuration and rotation. (The argument that HTTPS requires more server resources and slows down page-load times is no longer valid, as protocols like SPDY and HTTP/2 can actually reduce load times -- see a comparison here.) For enterprises, the management of a large number of digital certificates has high operational costs, but an SSL subscription service from Utah-based HydrantID is looking to change this by making SSL certificate management cheaper and easier.
A subscription to the HydrantID service gives an enterprise access to a cloud platform for easy SSL certificate management, with certain types of SSL certificates priced on a monthly basis. The aim is to allow enterprises to manage all their certificates centrally and reduce the risk of failing to renew certificates due to poorly managed internal certificate records. This type of SSL certificate management service will appeal to some enterprises as long as they have confidence in HydrantID's cloud-based system and the infrastructure behind its issuance of certificates. Confidence in certificate authorities' hierarchy of trust isn't great due to several instances of incorrect issuance of certificates by CAs, which have enabled hackers to abuse fraudulent certificates and launch a wide range of attacks, such as website spoofing, server impersonation and man-in-the-middle attacks.
An HTTPS-only Internet would offer better security and privacy for everyone, and there is certainly room in the marketplace for companies offering alternative ways of purchasing and managing digital certificates; StartSSL, for example, offers free digital certificates, as well as Class 2 and Class 3 certificates for less than $60. Whichever CA and type of certificate enterprises choose, administrators should ensure they areinstalled correctly, that webpages don't contain any content that is transmitted over unencrypted HTTP -- including content from third-party sites -- and implement the HTTP Strict Transport Security response header so if a user requests a page over HTTP, it is automatically upgraded by the browser to HTTPS before the request is sent.
searchsecurity
Không có nhận xét nào:
Đăng nhận xét