Whether a website is secure or not, there are at least three basic elements, one is https encryption, the other is WAF protection, and the third is trusted identity validation, all three are indispensable. That's why the ZT Browser innovatively displays four security-related icons: , not only has the security padlock and SM2 encryption icon, but also have the cloud WAF protection icon and the website trusted identity validation level icon. Please refer to the innovation UI Icon Summary of ZT Browser for details.
ZT Browser is developed based on the open-source Chromium. This default UI of security padlock is displayed as "Connection is secure". We think this is inaccurate. The website deploys SSL certificate and realizes HTTPS encryption, this is not equal to secure, it can only be explained that the connection from the browser to the server is encrypted, so we modify this display as "Connection is encrypted".
And we also modified the display "Security" to display the Website Security Rating and rating level, these include the SSL security test, because it is still not secure for an incorrect SSL certificate deployment. During the process of shaking hands with the web server using HTTPS protocol, ZT Browser has learned about all deployment information of the SSL certificate, so the rating level will be displayed after the padlock is displayed for the website visitor to know the SSL certificate deployment situation, especially for the website administration to know it after completing the SSL certificate deployment, so that the administrator can fix problems in time. Please refer to the “ZoTrus Website Security Test Rating Service Rating Guide” for details.
The first element of website security is HTTPS encryption to realize the information transmission from the browser to the server is encrypted to prevent confidential information from leaking in the transmission process, effectively preventing various illegal stealing and illegal tampering. This is the basic requirement, without HTTPS encryption, all browsers will display "Not secure", which is a correct and accurate.
The second element of website security is WAF protection, which is also indispensable. WAF can effectively prevent various attacks and prevent illegal stealing and illegal tampering after the information reaches the server from browser. HTTPS encryption guarantees confidential information to reach the server security, and after the information arrives at the server, the work that prevent various attacks can only be completed by the Web Application Firewall. Without WAF protection, HTTPS encryption is also meaningful, this point is very important. HTTPS encryption and WAF protection are all duty and one section of each.
The third element of website security is the website trusted identity validation. A fake bank website may also have HTTPS encryption, and the browser also shows the security padlock. It may also have WAF protection. However, these do not prove that this fake bank website is secure! Therefore, the website trusted identity validation is the third important factor of website security, which is as important as HTTPS encryption and WAF protection! The simplest website trusted identity validation is to deploy the IV SSL certificate, OV SSL certificate and EV SSL certificate that has validated the website identity.
It is recommended to choose the ZoTrus SM2 HTTPS Automation Management Solution. There is no need to apply for an SSL certificate from the CA, and there is no need to install an SSL certificate on the Web server to automatically realize https encryption. Customers can choose a suitable solution according to their own business system management needs, it has two main application scenarios: HTTPS encryption automation and SM2 HTTPS encryption transformation. The former mainly solves the problem of automatic deployment of RSA/ECC algorithm SSL certificates, because many websites and various business management systems are still not deployed SSL certificates, these systems only need to deploy RSA/ECC algorithm SSL certificates, and do not need to be transformed to support SM2 SSL certificate, but they need to realize automated certificate management. The latter requires not only the deployment of RSA/ECC SSL certificates, but also the deployment of SM2 SSL certificates, and the automatic management of dual-algorithm certificates.