1. Zero reconstruction, automatic realization of SM2 https encryption, adaptive https algorithm
ZoTrus HTTPS Automation Cloud Service is an innovative cloud service based on Alibaba Cloud WAF/CDN service, which realizes SM2 https encryption and cloud WAF protection with zero reconstruction. ZoTrus Cloud SSL System automatically connects to the Alibaba Cloud WAF/CDN system, to configure dual-algorithm dual-SSL certificates into Alibaba WAF/CDN, fully automatic implementation of SM2 https encryption and cloud WAF protection, so that the website system does not need to apply for SSL certificates from CA, and does not need to purchase WAF/CDN services separately, zero change for the original web server, automatically realizes cryptography compliance and global trusted https encryption protection and cloud WAF protection, to meet the website security compliance requirements of cybersecurity compliance and cryptography compliance.
(1) Cloud SSL service automatically configures the SSL certificate for the cloud WAF, and automatically implements SM2 https encryption
In the traditional mode, users need to spend time, effort, and money to purchase and apply for an SSL certificate from the CA. After obtaining the SSL certificate, they need to manually install and configure the SSL certificate on the server, or they need to install an ACME client software on the server to connect to CA service, then website can use the SSL certificate to implement https encryption. In the Web Security 2.0 mode, users only need to set CNAME resolution once to automatically configure the SSL certificate on the cloud WAF to implement https encryption.
As shown in the left figure below, the visitor uses the http protocol to access the web server. Since the http protocol is transmitted in cleartext, all browsers will display "Not secure" in the address bar or display an unencrypted padlock, because all information transmitted from the browser to the server is highly likely to be illegally intercepted and illegally tampered with. As shown in the right figure below, after purchasing the ZoTrus Website Security Cloud Service, customers only need to set a CNAME record, and the Cloud SSL service will automatically connect to the ZoTrus Cryptographic Service to automatically obtain a publicly trusted SSL certificate and automatically configure it to the cloud WAF system to realize HTTPS encryption and WAF protection automatically. All browsers will automatically use HTTPS encryption, and the security padlock will be displayed.
Cloud SSL service realizes fully automatic application for SSL certificate, fully automatic configuration of SSL certificate to cloud WAF for https encryption, users do not need to spend time, effort, and money to apply for SSL certificate from CA, and do not need to install any ACME client software on the server. It fully supports virtual hosting websites without independent server, as long as it is a website, no matter where the website is, it can realize https encryption by simply turning the original website into a source website and realize https encryption for all websites.
(2) Cloud WAF service automatically provides web application security protection for websites
As shown in the figure below, ZoTrus Cloud SSL service automatically applies and obtains SSL certificates for customers and calls the API of Alibaba Cloud WAF to automatically configure SSL certificates for use in the WAF system, and automatically implement HTTPS and WAF services. Alibaba Cloud WAF is a web security solution for hybrid cloud scenarios. It supports on-cloud threat intelligence and protection capabilities to synchronize off-cloud protection nodes in real time to achieve unified security protection policy management. It supports common web attack protection, including SQL injection, XSS, Webshell upload, directory traversal, etc. It automatically updates the protection rules for the latest web 0day vulnerabilities and supports anti-tampering of webpages, hotlink protection, and anti-brute force cracking; supports default and custom CC protection policies to mitigate HTTP-Flood attacks; supports elastic expansion through local exclusive cluster deployment, and it is deployed with dual-protection nodes by default, and it supports HTTP and HTTPS as source connections. If customers choose the https source connection, then ZoTrus Cloud SSL service provide a free SSL certificate for https source connection.
With the cloud WAF security protection for websites, there will be no more website attacks, website crashes, web page tampering and SQL injection. The leading Alibaba Cloud Web Application Firewall provides 7x24x365 days of security protection, customers can concentrate on doing their own business and no longer worry about the website being attacked and the transmission of confidential information leaking.
(3) Cloud Identity Validation service provides trusted website identity validation service for websites, and displays the website's trusted identity by browser
The fact that a website implements https encryption and WAF protection does not mean that the website is secure, nor does it mean that users can trust the website. According to the principle of zero trust, never trust websites that have not been validated by a third-party. The deployment of a DV SSL certificate on a website can only prove that the domain name of the website is real and does not complete the website identity validation. A fake bank website can register a domain name like the real bank and apply for a DV SSL certificate. For example, the domain name of ICBC is icbc.com.cn, and the domain name of the fake ICBC website is 1cbc.com.cn, this fake ICBC website can get a DV SSL certificate that also enables the browser to display the same security padlock as the real ICBC website.
Therefore, we strongly recommend that customers deploy OV SSL certificates and EV SSL certificates to validate the identity of the website, because the real identity of the website is as important as transmission encryption and security protection. For customers that have purchased ZoTrus Website Security Cloud Service, each edition includes the most stringent website identity validation service - EV Certification for free. ZT Browser will display the green address bar and organization name, to let customers enjoy the trinity of website security services including https encryption, WAF protection and trusted identity.
For customers that have purchased the Basic Edition service, a DV SSL certificate that only validates the ownership of the domain name will be automatically configured. The certificate issuing CA does not validate the website identity. The website identity validation is completed by ZoTrus according to the extended validation standard. Therefore, even if the DV SSL certificate is deployed, since the website identity has completed, the ZT Browser will display the same green address bar and display organization name as if the EV SSL certificate was deployed. This is an innovative solution that separates https encryption from website identity validation and realizes the perfect unification of quick validation to get SSL certificate and quick local website identity validation. As shown in the figure below, the display effect of the ZT Browser for the website that has purchased the Basic Edition service is the same as the website deploying the EV SSL certificate. The picture on the right shows the effect displayed by Google Chrome, click the security padlock, and the SSL certificate you see is an DV SSL certificate.
For customers that have purchased the Pro Edition, an OV SSL certificate that validated the identity of the website will be automatically configured. The website identity validation is completed by the world's top CA in strict accordance with international standards. The SSL certificate already contains the website organization name and other information. On this base the EV validation is completed by ZoTrus according to the extended validation standard, and ZT Browser will display the same green address bar and display organization name as if the EV SSL certificate was deployed. As shown in the figure below, t the display effect of the ZT Browser for the website that has purchased the Basic Edition service is the same as the website deploying the EV SSL certificate. The picture on the right shows the effect displayed by Google Chrome, click the security padlock, and the SSL certificate you see is an OV SSL certificate.
For customers that have purchased the Extended Pro Edition, an EV SSL certificate that extended validated the identity of the website will be automatically configured. The website identity validation is completed by the world's top CAs in strict accordance with international standards. The SSL certificate already contains information such as website organization name and registration information. ZT Browser will directly display the green address bar and organization name in the SSL certificate in the address bar, as shown in the left figure below. Other browsers still only display the security padlock, as shown in the middle figure below, but click the padlock to view the certificate, and you can see the organization name of this website, as shown in the right figure below.
2. ZoTrus HTTPS Automation Cloud Service, specially designed for zero reconstruction SM2 https encryption
ZoTrus HTTPS Automation Cloud Service is not only a zero trust security service designed for website security, but also a cloud-native service. All services are provided directly through cloud services. Users do not need to install SSL certificates on their own servers, nor do they need to install ACME clients. It is a three-in-one three-dimensional protection, the main advantages and characteristics are:
-
(1)
Zero trust http cleartext connections, and automatically implement https encrypted connections.
Customers do not need to apply for an SSL certificate from the CA and do not need to install an SSL certificate on the server, nor do they need to install any client software on the Web server for automatic certificate deployment. Customers don't even need to care what an SSL certificate is, just purchase the Service, set up CNAME resolution twice, and enable the https encryption service in 10 minutes. The use of https encryption to protect the security of website confidential information has nothing to do with whether the website is a dedicated server or a virtual hosting server. If the website is accessible, https encryption can be automatically enabled. This is an inclusive security service without any other prerequisites.
ZoTrus HTTPS Automation Cloud Service automatically configures ECC SSL certificates and SM2 SSL certificates, one-click to achieve cryptography compliance, cybersecurity compliance and global trust, so that all websites can enjoy more secure SM2 secret https encryption and cloud WAF service. Zero trust http cleartext connections, only trust https encrypted connections. This is the first principle of zero trust in website security.
-
(2)
Zero trust each web access, realize WAF security protection automatically.
Customers do not need to purchase WAF equipment systems, just need to purchase HTTPS Automation Cloud Service, and set up CNAME resolution to achieve WAF security protection. There are no other prerequisites, and it is https WAF protection, customers can enjoy Alibaba Cloud WAF services with top protection capabilities. Zero trust each web access, always verify every connection, release normal connections, and block malicious connections. This is the second principle of zero trust in website security.
-
(3)
Zero Trust websites that have not passed the identity validation, and ZT Browser specially displays the trusted identity of the website.
Website security not only requires HTTPS encryption, but also requires WAF protection, but also requires the trusted identity validation to let website visitor be sure that the identity of the website is trusted. Therefore, ZT Browser specially displays the website identity that has passed the identity validation, and directly displays the website owner name in the address bar, so that the website visitor can be confident of the identity of the website, browse the website and place an order on the website with confidence. The trusted identity of the validated website is particularly prominently displayed by ZT Browser, which display the website is https encrypted and WAF protected and has trusted identity. Only in this way is a complete trinity website security and trusted solution.
It can be seen that the above three characteristics not only meet the zero trust requirements of website security, but also realize automatic SM2 https encryption and cloud WAF protection, innovatively realize the upgrading of website security, and realize the universal benefit security of the Web. According to the definition of cryptography in the "China Cryptography Law", cryptography is a technology, product and service for information encryption protection and security authentication. HTTPS encryption is the "encryption protection" for website information transmission, and trusted website identity validation is "security authentication". So, HTTPS Automation Cloud Service can also be understood as a typical cryptographic compliance application, and it is also a zero trust security application, zero trust plus cryptographic, perfect realization of website security, perfect protection of web application security.