Websites have been widely used since the end of the 1990s. It was the era of http cleartext transmission, because the Internet at that time was only used for information publishing and browsing. With the application of online payment, the http protocol transmitted in cleartext cannot meet the security requirements. Netscape invented the SSL protocol in 1994 and uses the SSL certificate to realize https encrypted transmission to ensure automatic encrypted transmission from the browser to the web server, in this way, Web security has entered the 1.0 era.
In the era of Web Security 1.0, users must apply for an SSL certificate from a CA, and manually deploy the certificate to the server to implement HTTPS encryption. Through the joint efforts of browser and CAs, a minimum security requirement that a web site must enforce the deployment of SSL certificates has been formed, otherwise all browsers will be displayed as "Not secure", which is the greatest achievement in the era of web security 1.0. In October 2015, Let's Encrypt started to use the ACME protocol (Automated Certificate Management Environment) to issue DV SSL certificates automatically for global users for free. Since then, the era of Web Security 1.5 has opened, and this solution have solved the problems of cumbersome SSL certificate application, verification, and deployment. It has greatly promoted the popularization and application of https encryption.
At the same time, in the era of Web Security 1.0, another technical route has also begun to develop, that is WAF (Web Application Firewall). Because with the popularization of web applications, it is becoming more and more abundant, and various high-value data in web services have gradually become the main attack targets. Security incidents such as SQL injection, web page tampering, and web trojan occur frequently, according to China CERT’s report, the number of tampered websites in China reached more than 100,000 in 2020.
The emergence of Web Application Firewall is to solve the problem of Web application security that traditional firewalls are helpless. Different from traditional firewalls, WAF works at the application layer, so it has inherent technical advantages for Web application protection. Based on a deep understanding of web application business and logic, WAF performs content detection and verification on requests from web application clients to ensure their security and legality, and blocks illegal requests in real time, to realize the effective protection of websites. This is zero trust for every web request, checking and verifying every web request. However, WAF, a web security branch technology, does not solve the problem of encrypted transmission of confidential information, but only solves the problem of website security protection. Although some WAF systems support https encryption, users still need to apply for an SSL certificate from a CA, and then manually deploy it to the WAF device system. Therefore, it still belongs to the era of Web Security 1.0.
Another big problem in the era of Web Security 1.0 is that it ignores the website security of many virtual hosting websites. These websites for small and medium-sized enterprises and other small organizations cannot deploy SSL manually or automatically because the website is a virtual hosting, not an independent server. This make these websites not only in a state of information streaking, but also in a state of no protection, and the security situation is very bad.
So, in the era of Web Security 1.0, whether manually deploying SSL certificates, automatically deploying SSL certificates, or adding Web Application Firewall protection, it cannot meet the current Web security requirements in the era of cloud computing and big data, and it makes virtual hosting websites become a forgotten security corner. Web security is in urgent need of upgrading and must be upgraded to the 2.0 era.
Web Security 2.0 is a cloud-native service, WAF service is a cloud service, and SSL certificate automation is also a cloud service. The Cloud SSL service automatically issues SSL certificates for websites and configures them into the cloud WAF system automatically, and automatically implements https encryption + WAF service to realize website transmission encryption and website security protection and realize zero trust for cleartext transmission and zero trust for each web connection. However, this is not enough, a fake website and fraudulent website can also do this. Doing this does not mean that the website is safe. It also requires zero trust in the identity of the website. Zero trust websites that have not passed trusted identity validation even with https encryption and WAF protection. Therefore, Web Security 2.0 is a website security zero trust solution of cloud SSL plus cloud WAF plus cloud identity validation.
In the Web Security 1.0 mode, users need to spend time, effort, and money to purchase and apply for an SSL certificate from the CA. After obtaining the SSL certificate, they need to manually install and configure the SSL certificate on the server, or they need to install an ACME client software on the server to connect to CA service, then website can use the SSL certificate to implement https encryption. In the Web Security 2.0 mode, users only need to set CNAME resolution once to automatically configure the SSL certificate on the cloud WAF to implement https encryption.
As shown in the left figure below, the visitor uses the http protocol to access the web server. Since the http protocol is transmitted in cleartext, all browsers will display "Not secure" in the address bar or display an unencrypted padlock, because all information transmitted from the browser to the server is highly likely to be illegally intercepted and illegally tampered with. As shown in the right figure below, after purchasing the ZoTrus Website Security Cloud Service, customers only need to set 3 domain name resolutions, and the Cloud SSL service will automatically connect to the ZoTrus Cryptographic Service to automatically obtain a publicly trusted ECC SSL certificate and cryptography compliance SM2 SSL certificate, and automatically configure it to the cloud WAF system to realize HTTPS encryption and WAF protection automatically. All browsers will automatically use HTTPS encryption, and the security padlock will be displayed. ZT Browser preferentially adopts the SM2 algorithm to realize SM2 https encryption and displays the SM2 encryption icon in the address bar.
Cloud SSL service realizes fully automatic application for SM2/ECC dual SSL certificate, fully automatic configuration of the dual SSL certificate to cloud WAF for https encryption, users do not need to spend time, effort, and money to apply for SSL certificate from CA, and do not need to install any ACME client software on the server, no need to change the web server software to support SM2 algorithm. It fully supports virtual hosting websites without independent server, as long as it is a website, no matter where the website is, it can realize https encryption by simply turning the original website into a source website and realize https encryption for all websites. And this is a solution that adaptive priority adopts the SM2 algorithm to realize SM2 https encryption.
As shown in the figure below, ZoTrus Cloud SSL service automatically applies and obtains SSL certificates for customers, and calls the API of Alibaba Cloud WAF to automatically configure SSL certificates for use in the WAF system, and automatically implement HTTPS and WAF services. Alibaba Cloud WAF is a web security solution for hybrid cloud scenarios. It supports on-cloud threat intelligence and protection capabilities to synchronize off-cloud protection nodes in real time to achieve unified security protection policy management. It supports common web attack protection, including SQL injection, XSS, Webshell upload, directory traversal, etc. It automatically updates the protection rules for the latest web 0day vulnerabilities and supports anti-tampering of webpages, hotlink protection, and anti-brute force cracking; supports default and custom CC protection policies to mitigate HTTP-Flood attacks; supports elastic expansion through local exclusive cluster deployment, and it is deployed with dual-protection nodes by default, and it supports HTTP and HTTPS as source connections. If customers choose the https source connection, then ZoTrus Cloud SSL service provide a free SSL certificate for https source connection.
With the cloud WAF security protection for websites, there will be no more website attacks, website crashes, web page tampering and SQL injection. The leading Alibaba Cloud Web Application Firewall provides 7x24x365 days of security protection, customers can concentrate on doing their own business and no longer worry about the website being attacked and the transmission of confidential information leaking.
The fact that a website implements https encryption and WAF protection does not mean that the website is secure, nor does it mean that users can trust the website. According to the principle of zero trust, never trust websites that have not been validated by a third-party. The deployment of a DV SSL certificate on a website can only prove that the domain name of the website is real and does not complete the website identity validation. A fake bank website can register a domain name like the real bank and apply for a DV SSL certificate. For example, the domain name of ICBC is icbc.com.cn, and the domain name of the fake ICBC website is 1cbc.com.cn, this fake ICBC website can get a DV SSL certificate that also enables the browser to display the same security padlock as the real ICBC website.
Therefore, we strongly recommend that customers deploy OV SSL certificates and EV SSL certificates to validate the identity of the website, because the real identity of the website is as important as transmission encryption and security protection. For customers that have purchased ZoTrus Website Security Cloud Service, each edition includes the most stringent website identity validation service - EV Certification for free. ZT Browser will display the green address bar and organization name, to let customers enjoy the trinity of website security services including https encryption, WAF protection and trusted identity.
For customers that have purchased the Basic Edition service, a DV SSL certificate that only validates the ownership of the domain name will be automatically configured. The certificate issuing CA does not validate the website identity. The website identity validation is completed by ZoTrus according to the extended validation standard. Therefore, even if the DV SSL certificate is deployed, since the website identity has completed, the ZT Browser will display the same green address bar and display organization name as if the EV SSL certificate was deployed. This is an innovative solution that separates https encryption from website identity validation and realizes the perfect unification of quick validation to get SSL certificate and quick local website identity validation. As shown in the figure below, the display effect of the ZT Browser for the website that has purchased the Basic Edition service is the same as the website deploying the EV SSL certificate. The picture on the right shows the effect displayed by Google Chrome, click the security padlock, and the SSL certificate you see is an DV SSL certificate.
For customers that have purchased the Pro Edition, an OV SSL certificate that validated the identity of the website will be automatically configured. The website identity validation is completed by ZoTrus in strict accordance with international standards and China standards. The SSL certificate already contains the website organization name and other information. On this base the EV validation is completed by ZoTrus according to the extended validation standard, and ZT Browser will display the same green address bar and display organization name as if the EV SSL certificate was deployed. As shown in the figure below, t the display effect of the ZT Browser for the website that has purchased the Basic Edition service is the same as the website deploying the EV SSL certificate. The picture on the right shows the effect displayed by Google Chrome, click the security padlock, and the SSL certificate you see is an OV SSL certificate.
For customers that have purchased the Extended Pro Edition, an EV SSL certificate that extended validated the identity of the website will be automatically configured. The website identity validation is completed by ZoTrus in strict accordance with international standards and China standards. The SSL certificate already contains information such as website organization name and registration information. ZT Browser will directly display the green address bar and organization name in the SSL certificate in the address bar, as shown in the left figure below. Other browsers still only display the security padlock, as shown in the middle figure below, but click the padlock to view the certificate, and you can see the organization name of this website, as shown in the right figure below.
ZoTrus Website Security Cloud Service is not only a zero trust security service designed for website security, but also a cloud-native service. All services are provided directly through cloud services. Users do not need to install SSL certificates on their own servers, nor do they need to install ACME clients, no need to change the web server software to support SM2 algorithm, no need to purchase WAF system, only 3 domain name resolutions are needed to automatically realize SM2 https encryption and WAF protection, which greatly reduces the threshold and protection cost for users to ensure website security. It is a three-in-one three-dimensional protection, the main advantages and characteristics are:
Customers do not need to apply for an SSL certificate from the CA and do not need to install an SSL certificate on the server, nor do they need to install any client software on the Web server for automatic certificate deployment. Customers don't even need to care what an SSL certificate is, just purchase the Service, set up 3 times domain name resolution, and enable the https encryption service with adaptive algorithm in 10 minutes, ZT Browser preferentially adopts the SM2 algorithm to realize SM2 https encryption. The use of https encryption to protect the security of website confidential information has nothing to do with whether the website is a dedicated server or a virtual hosting server. If the website is accessible, https encryption can be automatically enabled. This is an inclusive security service without any other prerequisites.
ZoTrus Website Security Cloud Service naturally supports virtual hosting websites, which makes the era of Web Security 2.0 be an era of universal benefit website security. The web hosting websites with the weakest security protection will not be left behind, and all websites can enjoy https encryption and WAF services. Zero trust http cleartext connections, only trust https encrypted connections, preferentially adopts the SM2 https encrypted connections. This is the first principle of zero trust in website security. ZoTrus Website Security Cloud Service are fully automatic and fully covered leading implementation for Web Security 2.0！
Customers do not need to purchase WAF equipment systems, just need to purchase Website Security Cloud Service, and set up CNAME resolution to achieve WAF security protection. There are no other prerequisites, and it is https WAF protection, customers can enjoy Alibaba Cloud WAF services with top protection capabilities. Zero trust each web access, always verify every connection, release normal connections, and block malicious connections. This is the second principle of zero trust in website security. ZoTrus Website Security Cloud Service is fully automatic and fully covered leading implementation for Web Security 2.0!
Website security not only requires HTTPS encryption, but also requires WAF protection, but also requires the trusted identity validation to let website visitor be sure that the identity of the website is trusted. Therefore, ZT Browser specially displays the website identity that has passed the identity validation, and directly displays the website owner name in the address bar, so that the website visitor can be confident of the identity of the website, browse the website and place an order on the website with confidence. The trusted identity of the validated website is particularly prominently displayed by ZT Browser, which display the website is https encrypted and WAF protected and has trusted identity. Only in this way is a complete trinity website security and trusted solution.
The above three characteristics determine that Web Security 2.0 has ended the 1.0 era, which requires manual settings, and is limited to some websites. It has innovatively realized the upgrading and realized the universal benefit security of the Web. This is the striking feature of Web Security 2.0 era! Only when all websites are secure, the Internet is truly secure. Web Security 2.0 lets every website to be secure. The Web Security 2.0 has adapted to the needs of cloud computing, big data and zero trust security, and met the security requirements of global trust and cryptography compliance of all websites, it will surely be welcomed by all website owners.
According to the definition of cryptography in the "China Cryptography Law", cryptography is a technology, product and service for information encryption protection and security authentication. HTTPS encryption is the "encryption protection" for website information transmission, and trusted website identity validation is "security authentication". So, Web Security 2.0 can also be understood as a typical cryptographic compliance application, and it is also a zero trust security application, zero trust plus cryptographic, perfect realization of website security upgrade to 2.0 era, perfect protection of web application security, popular application of Web Security 2.0 will make a huge contribution to the protection of Internet and big data security.