SSL/ tls证书为什么会过期?
以前的SSL/ tls证书的生命周期长达5年。然而,自从像谷歌和苹果这样的主要科技公司一直在推动将SSL/TLS证书的生命周期缩短到只有一年以来,这种情况已经不再存在了。几年后,最长证书生命周期很可能缩短到6个月。在任何情况下,缩短SSL/TLS证书的有效期都是有意义的,因为它可以最大限度地减少密钥泄露的机会,并通常提高网络的安全级别。

未及时更新SSL/ tls证书的后果
调查显示,过期的SSL/ tls证书平均要花费全球5000家公司1500万美元才能从证书中断造成的业务损失中恢复过来。即使您的公司不是世界上最大的公司之一,过期的SSL/ tls证书也会导致一系列负面后果,下面概述了其中的一些后果。

您的网站的整体信任度立即降低。
你公司的品牌和声誉处于危险之中。
销售和收入流可能受到巨大影响
访问者容易受到欺诈和身份盗窃的影响。

网络安全是保护系统、网络和程序免受数字攻击的实践。这些网络攻击通常旨在访问、更改或破坏敏感信息,向用户勒索钱财,或中断正常的业务流程。TRUSTZONE提供全面的网络安全服务和数字证书,以保护您的业务免受此类威胁,包括SSL/TLS证书,安全电子邮件证书和代码签名证书。

网络安全就像把你房子的门窗锁上,把坏人挡在外面,确保你的财物安全。

网络安全威胁的类型
了解各种类型的网络安全威胁和攻击对于防御它们至关重要。以下是你应该知道的最常见的攻击:

网络钓鱼攻击:网络犯罪分子通过伪装成合法的电子邮件或网站来欺骗个人提供敏感信息。网络钓鱼攻击占报告的安全事件的80%以上。

恶意软件攻击:一种常见的网络攻击和总称,指的是在最终用户的计算机上交付和安装的恶意程序。当用户从网上下载未签名的软件并将其安装在计算机、服务器或网络上时,通常会发生此类攻击。

恶意软件攻击非常普遍,仅2022年就发生了超过54亿次攻击。
中间人攻击:

当攻击者拦截自认为在直接通信的双方之间的网站流量或电子邮件时,中间人(MitM)攻击就会发生。
人员、流程和技术:

人员:教育员工如何识别威胁并遵守安全协议。研究表明,43%的小企业没有适当的网络安全计划,使他们容易受到攻击。
流程:实施强大的安全策略和程序来保护数据并有效地响应事件。
技术:利用先进的安全工具和技术,有效预防、检测和应对网络威胁。组织采用强大的网络安全措施可以显著降低与数据泄露相关的成本。

As a mediocre engineer, I took Internet and HTTPS communication for granted and never dove any deeper. Today we’re improving as engineers and learning a rough overview of how internet communication works, specifically focusing on HTTP and TLS.

The Internet is “just” a network of interconnected computer networks. The term "Internet" literally means "between networks." It operates as a packet-switched mesh network with best-effort delivery, meaning there are no guarantees on whether a packet will be delivered or how long it will take. The reason why the internet appears to operate so smoothly (at least from a technical perspective) is the layers of abstraction that handle retries, ordering, deduplication, security and so many other things behind the scenes. Letting us developers just focus on the application layer (aka. Writing HTTP requests from San Francisco for $300K/year).

Each layer provides certain functionalities, which can be fulfilled by different protocols. Such modularization makes it possible to replace the protocol on one layer without affecting the protocols on the other layers.

作为一名平庸的工程师,我认为互联网和HTTPS通信是理所当然的,从未深入研究过。今天,作为工程师,我们正在改进和学习互联网通信工作原理的大致概述,特别关注HTTP和TLS。

互联网“只是”一个由相互连接的计算机网络组成的网络。“Internet”一词的字面意思是“网络之间”。它作为一个数据包交换网状网络运行,尽最大努力交付,这意味着不能保证数据包是否会被交付或需要多长时间。互联网看起来运行得如此顺畅(至少从技术角度来看)的原因是它的抽象层处理重试、排序、重复数据删除、安全性和许多其他幕后的事情。让我们开发人员只关注应用层(又名。在旧金山写HTTP请求,每年30万美元)。

每一层提供特定的功能,这些功能可以通过不同的协议来实现。这样的模块化使得在不影响其他层上的协议的情况下替换一层上的协议成为可能。

Website operators who will be impacted by the upcoming change in Chrome for new TLS certificates issued after October 31, 2024 can explore continuity options offered by Entrust. Entrust has expressed its commitment to continuing to support customer needs, and is best positioned to describe the available options for website operators. Learn more at Entrust’s TLS Certificate Information Center.

The Chrome Security Team prioritizes the security and privacy of Chrome’s users, and we are unwilling to compromise on these values.

The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.

Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.

In response to the above concerns and to preserve the integrity of the Web PKI ecosystem, Chrome will take the following actions.

在2024年10月31日之后发布的新TLS证书即将受到Chrome浏览器变化影响的网站运营商可以探索委托提供的连续性选项。托付已经表达了继续支持客户需求的承诺,并且最适合描述网站运营商的可用选项。在委托的TLS证书信息中心了解更多信息。

Chrome安全团队优先考虑Chrome用户的安全和隐私,我们不愿意在这些价值观上妥协。

Chrome根程序政策规定,包含在Chrome根存储中的CA证书必须为Chrome最终用户提供超过其继续包含的风险的价值。它还描述了当CA所有者披露和响应事件时我们认为重要的许多因素。当事情不顺利时,我们期望CA所有者承诺进行有意义的和可证明的更改,从而产生可证明的持续改进。

在过去的几年中,公开披露的事件报告强调了委托的相关行为模式,这些行为没有达到上述期望,并且削弱了对其作为公众信任的CA所有者的能力,可靠性和完整性的信心。

为了回应上述问题并维护Web PKI生态系统的完整性,Chrome将采取以下行动。

今天,我们宣布我们打算尽快终止对在线证书状态协议(OCSP)的支持,转而支持证书撤销列表(crl)。
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible.

OCSP和crl都是ca通信证书撤销信息的机制,但是crl比OCSP有明显的优势。
OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP.

Let 's Encrypt自近十年前推出以来一直提供OCSP响应器。
Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago.

我们在2022年增加了对crl的支持。
We added support for CRLs in 2022.

网站和访问它们的人不会受到这一变化的影响,但一些非浏览器软件可能会受到影响。
Websites and people who visit them will not be affected by this change, but some non-browser software might be.

我们计划终止对OCSP的支持,主要是因为它对互联网上的隐私构成了相当大的风险。
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.

当有人使用浏览器或其他通过OCSP检查证书撤销的软件访问网站时,操作OCSP响应器的证书颁发机构(CA)立即意识到访问者的特定IP地址正在访问哪个网站。
When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address.

即使CA有意不保留这些信息(Let’s Encrypt就是这种情况),CA也可能在法律上被强制收集这些信息。
Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it.

crl没有这个问题。
CRLs do not have this issue.

我们之所以采取这一步骤,还因为保持CA基础设施尽可能简单对于Let’s Encrypt的一致性、可靠性和效率的连续性至关重要。
We are also taking this step because keeping our CA infrastructure as simple as possible is critical for the continuity of compliance, reliability, and efficiency at Let’s Encrypt.

自我们成立以来的每一年,营运OCSP服务都占用了相当多的资源,而这些资源本可以更好地用于我们其他方面的运作。
For every year that we have existed, operating OCSP services has taken up considerable resources that can soon be better spent on other aspects of our operations.

现在我们支持crl,我们的OCSP服务就没有必要了。
Now that we support CRLs, our OCSP service has become unnecessary.

2023年8月,CA/浏览器论坛通过了一项投票,决定为公开信任的CA(如Let’s Encrypt)提供可选的OCSP服务。
In August of 2023 the CA/Browser Forum passed a ballot to make providing OCSP services optional for publicly trusted CAs like Let’s Encrypt.

除了一个例外,微软,根程序本身不再需要OCSP。
With one exception, Microsoft, the root programs themselves no longer require OCSP.

一旦微软根程序也使OCSP可选,我们乐观地认为这将在未来6到12个月内发生,Let 's Encrypt打算宣布关闭我们的OCSP服务的具体和快速时间表。
As soon as the Microsoft Root Program also makes OCSP optional, which we are optimistic will happen within the next six to twelve months, Let’s Encrypt intends to announce a specific and rapid timeline for shutting down our OCSP services.

我们希望在公告发布后的三到六个月内提供最后一次OCSP响应。
We hope to serve our last OCSP response between three and six months after that announcement.

了解这些计划更新的最佳方式是订阅我们在Discourse上的API announcement类别。
The best way to stay apprised of updates on these plans is to subscribe to our API Announcements category on Discourse.

我们建议现在依赖OCSP服务的任何人尽快开始结束这种依赖的过程。
We recommend that anyone relying on OCSP services today start the process of ending that reliance as soon as possible.

如果您使用Let 's Encrypt证书来保护非浏览器通信(如VPN),则如果证书不包含OCSP URL,则应确保您的软件正常运行。
If you use Let’s Encrypt certificates to secure non-browser communications such as a VPN, you should ensure that your software operates correctly if certificates contain no OCSP URL.

幸运的是,大多数OCSP实现“打开失败”,这意味着无法获取OCSP响应不会破坏系统。
Fortunately, most OCSP implementations “fail open” which means that an inability to fetch an OCSP response will not break the system.

互联网安全研究小组(ISRG)是Let’s Encrypt、Prossimo和Divvi Up的上级组织。
Internet Security Research Group (ISRG) is the parent organization of Let’s Encrypt, Prossimo, and Divvi Up.

ISRG是一家501(c)(3)非营利组织。
ISRG is a 501(c)(3) nonprofit.

如果你想支持我们的工作,请考虑参与,捐赠,或鼓励你的公司成为赞助商。
If you’d like to support our work, please consider getting involved, donating, or encouraging your company to become a sponsor.