"Three misunderstandings of SSL certificate" continuanceSept. 21, 2022

The author published an article "Three Misunderstandings of SSL Certificate" in the "China Computer World" on January 31, 2005. This is an article from 18 years ago, and it still feels good to read now, although the text is a bit promoting the GeoTrust certificate, because it just started selling GeoTrust SSL certificates at that time, this article may be the first article about SSL certificates in an authoritative newspaper in China. Eighteen years have passed by, today, the author rewrites this topic on the CEO blog, which will bring some new ideas to readers.

Eighteen years ago, only a few online banking websites deployed SSL certificates, but now almost all online banking websites have deployed SSL certificates. All ecommerce websites have implemented https encryption, and some government websites have also deployed SSL certificates on their login pages. In other words, there is still progress, but the author, as one of the promoters and leaders of SSL certificates in China, still feels that the pace can be faster. Especially in the current new and uncertain international situation, it is particularly important and urgent to vigorously promote and correctly deploy the SM2 SSL certificate.

Part I Three Misunderstandings of SSL Certificates

Misunderstanding 1:
Thinking that SSL certificates are only used for websites, in fact, SSL certificates are needed in many places.

Websites need SSL certificates. There is no doubt that through the efforts of major browsers, websites that do not deploy SSL certificates display "Not secure" in the browser address bar, because the confidential information entered by users on the website is not encrypted by https. If the transmission is in cleartext during the transmission process, it is very easy to be illegally stolen and used illegally. This is very worthy of the e-government website's great attention because all information entered by the users on the e-government website is confidential information.

However, deploying an SSL certificate on a website is not enough. Since mobile apps have almost become the most way to obtain information, browsers have relegated to the second place. At present, many mobile apps do not use HTTPS to implement encrypted communication when communicating with the server. This problem does not have obvious "not secure" prompts like browsers, which makes this security problem very serious. However, due to the lack of effective supervision, it makes mobile app developers intentionally or unintentionally ignore the problem of deploying SSL certificates for servers that the app communicates with, resulting in frequent app leaks.

In addition, the mail server not only needs to deploy SSL certificates for web pages, but also SMTP and IMAP/POP3 servers must deploy SSL certificates to ensure email account password security and email content transmission security. What is more urgent is that various IoT devices (including the Internet of Vehicles and the Industrial Internet) currently use http cleartext to collect data and communicate with the cloud in cleartext, which is very vulnerable to malicious attacks. This is why there have been several recent large-scale DDOS attacks from IoT devices.

All applications that transmit data from the client to the cloud need to deploy an SSL certificate on the server to implement https encrypted transmission. This is the only reliable and necessary technology that can ensure the security of data transmission, not just a browser as a client.

Misunderstanding 2:
Thinking that if the website installed an SSL certificate, everything will be fine, but the correct deployment of SSL certificate may be more important than the installed certificate.

It is necessary to install an SSL certificate for the website, but it is more important to deploy it correctly. Let’s draw an analogy for website as house, not deploying an SSL certificate means that only one door (port 80) is opened to the outside world, while deploying an SSL certificate must open another door (port 443). If the SSL certificate cannot be deployed correctly, it means another risk. The usual certificate deployment problems are not closing insecure SSL 2.0/3.0 and TLS 1.0/1.1 protocols, not deactivating insecure cipher suites, not supporting secure renegotiation, and so on. The most important thing is that since the SSL certificate is deployed, you should close the unencrypted door (port 80), use only the encrypted door (port 443), and use a third-party SSL deployment security test service to check SSL deployment after the SSL certificate is deployed, the test result must be scored as A or above.

At the same time, the SSL certificate cannot be deployed only in the website login authentication system, and the full site https encryption must be implemented, because the page after the user logs in contains a lot of user confidential information, which is as important as protecting the user's login password, and the site-wide https encryption can effectively prevent SSL man-in-the-middle attack.

For the https support of mobile apps, it is not only necessary to enable https encryption. The app should also determine whether the domain name of the server it communicates with is the same as the domain name bound to the SSL certificate, whether the SSL certificate is revoked, and whether it is an SSL certificate trusted by the app. The default mode of Android system does not make these judgments. App developers need to program themselves to increase these security judgments. This is also a relatively common app security problem that the author has found, and it is worthy of great attention by app developers, especially online banking apps. The author will write a separate blog post to guide users how to solve this app security problem.

Misunderstanding 3:
Thinking that the website installed an SSL certificate is enough, but it is not enough that you should deploy an SSL certificate that have validated the identity of the website.

The encryption attribute of the SSL certificate is more important, or the identity authentication attribute is more important. This is a topic that has been debated many times in the CA/Browser Forum. Browsers do not recognize the importance of website identity, and they removed the green address bar for websites that have deployed EV SSL certificates, so that websites that deploy a DV SSL certificate that only validates domain name ownership are displayed padlock same as those that deploy an EV SSL certificate that strictly validates the identity of the website, these browsers think that as long as it is encrypted, it is secure, and they do not realize the importance of website identity validation. In fact, the trust identity of the website is as important as encryption. A fake bank website also deploys an SSL certificate, and the browser will also display the padlock, which is more hidden and more harmful than a fake bank website that does not deploy an SSL certificate.

Therefore, ZT Browser not only insists on displaying the EV SSL certificate as a green address bar, but also innovatively displays the identity information of the website where the OV SSL certificate is deployed, so as to reflect the value of the validated identity of the website.

SSL certificate SSL certificate

Please remember a famous saying: cheap is not good, good is not cheap. Free SSL certificates or cheap DV SSL certificates are SSL certificates that do not verify the identity of the website, which cannot convince visitors of the identity of the website and cannot truly guarantee the security of the website. Therefore, don't think that everything will be fine if you deploy a free or cheap DV SSL certificate that does not validate the identity of the website. You should deploy an OV SSL certificate that validates the identity of the website and an EV SSL certificate that strictly validates the identity of the website, ZT Browser displays the EV SSL websites as green address bar to let the site visitor know the identity of the website at a glance, enhance online trust, and win more online orders.

Part II Three Misunderstandings of SM2 SSL Certificates

In the current very uncertain international situation and the reality that many SSL certificates have been revoked and supply break after the Russian-Ukrainian conflict, China websites must not only deploy SSL certificates correctly, but also must deploy SM2 SSL certificates as soon as possible to prevent similar threat of SSL certificate revocation and supply break. For SM2 SSL certificate, there are also three misunderstandings. These misunderstandings must be corrected intime to ensure the healthy development of the SM2 SSL certificate, to truly protect the security of China website system.

SM2 SSL Misunderstanding 1:
It is believed that there is no need to deploy an SM2 SSL certificate, but an RSA SSL certificate is deployed.

In peacetime, it is okay to deploy RSA/ECC SSL certificates with RSA/ECC algorithms, but after the Russian-Ukrainian conflict on February 24, the top three CAs that have more than 99% of the China market share revoked more than 3000 SSL certificates within 10 days, those certificates are for Russian government websites and bank websites, which makes these websites unable to access normally. Not only that, but these CAs cut off issuing SSL certificates for these websites on the 7th day after the conflict. Aren't these lessons worthy of our vigilance? Are we still naive to believe that this cannot happen in China in someday?

Just deploying an RSA SSL certificate can no longer protect the security of China website! China must plan ahead, take precautionary measures, popularize and deploy the SM2 SSL certificate as soon as possible! Only in this way can we truly protect the security of China websites and systems.

SM2 SSL Misunderstanding 2:
It is believed that the technical conditions for deploying SM2 SSL certificate are not mature, but in fact it is relatively mature.

This is also a relatively common misunderstanding. It is believed that Google Chrome does not support the SM2 algorithm, then the conditions for popularizing and deploying the SM2 SSL certificate are not mature. This is an ecological problem that cannot be solved in the short term. Yes, it is an ecosystem, if we want to use SM2 SSL certificate to implement https encryption, we must have at least three products that must support SM2 algorithm: Browser, SSL certificate and Web server. But now there are already many products on the market that support SM2 algorithm provided by many companies, these products can fully meet the compliance requirements of deploying SM2 SSL certificate to realize the SM2 https encryption.

The first is the browser. ZT Browser, Red Lotus Browser, Qianxin Browser and 360 Browser all already support SM2 algorithm and SM2 SSL certificate. And ZT Browser is a completely free SM2 browser.

The second is the SSL certificate. There are more than a dozen domestic CA operators that can issue the SM2 SSL certificate and have the ability to provide enough SM2 SSL certificates to ensure the market supply. The author recommends that the website deploy dual SSL certificate (SM2/RSA) to implement adaptive algorithm encryption to ensure that site visitors can normally achieve https encryption using both SM2 browsers and non-SM2 browsers. CerSign Technology plans to provide a 90-day free SM2 SSL certificate, together with the provided 90-day free RSA SSL certificate, can realize dual SSL certificate deployment for free.

The third is the Web server. The most common solution is to recompile Nginx to support the SM2 algorithm. At present, there are several Nginx SM2 support modules on the market, ZoTrus Technology plans to provide for free. If the user is using another web server, Nginx can be used as a proxy to support the SM2 algorithm to realize SM2 https encryption.

SM2 SSL Misunderstanding 3:
It is thought that all system must be transformed in order to realize SM2 https encryption. In fact, SM2 https encryption can be done without any transformation.

Readers can see from the second misunderstanding that in order to realize the SM2 https encryption, the Web server must be transformed, and the browser that is usually used must be replaced with SM2 supported browser. And dual SSL certificates must be deployed to meet the access needs of users' different browsers. This is indeed a bit more complicated than deploying an RSA SSL certificate.

ZoTrus Technology is also well aware of this pain point and has solved this problem. This is ZoTrus Website Security Cloud Service, which is based on Alibaba Cloud CDN and WAF cloud service and realizes automatic configuration of SM2 SSL certificate and ECC SSL certificate for website, fully automatic implementation of adaptive algorithm https encryption. Users only need to do 3 domain name resolution, zero transformation to achieve SM2 https encryption.

Zero transformation will definitely become the common method of SM2 https encryption, because users need SM2 https encryption, not SM2 SSL certificate. And website security not only requires https encryption, but also requires multi-faceted website security protection including WAF protection, CDN distribution and website trusted identity validation.

SM2 SSL

In summary, full deployment of SSL certificates on all websites and various information systems is inevitable, especially the implementation of the "Cryptography Law", "Cyber Security Law", "Data Security Law" and "Personal Information Protection Law", making SSL certificates all-round, extensive, and correct deployment is a must, and China websites must deploy the SM2 SSL certificate to truly ensure the security of the websites and systems.

Photo: Newspaper "China Computer World" January 31, 2005, B27 edition article "Three Misunderstandings of SSL Certificate".

Click here to download this blog post (PDF format, digital signed and timestamped with global trust and global legal effect, all rights reserved, plagiarism must be punished! Reprint this article, please indicate: Reprinted from ZoTrus CEO Blog)