請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/67013
標題: | 臺灣政府網站採用HTTPS的現況調查 The Investigation of Current Practice for HTTPS Adoption on Taiwan Government Websites |
作者: | Yu-Ming Ku 古育銘 |
指導教授: | 蕭旭君 |
關鍵字: | 臺灣政府網站,HTTPS協定,TLS攻擊方法,憑證問題, Taiwan Government Websites,HTTPS,TLS attacks,Certificate problem, |
出版年 : | 2017 |
學位: | 碩士 |
摘要: | HTTPS 是一個保護網站伺服器與瀏覽器之間連線的安全協定,沒有HTTPS,攻擊者就可以竊取使用者傳送到網站的機敏資訊(例如密碼或cookies)。由於HTTPS 的重要,美國白宮在2015 年6 月下令要求所有美國政府網站及提供的服務只能使用HTTPS,自此之後,美國政府網站支援HTTPS 的比例從2015 年7 月的28% 上升到2017 年6 月的76%。而我們觀察到臺灣政府網站時常出現安全性不足的問題,包括不使用HTTPS 或錯誤使用HTTPS,例如臺北市政府2017 年6 月推出的支付平台APP “pay.taipei”,它的第一個發行版本在登入頁面未使用HTTPS 來加密,使得攻擊者有機會竊取使用者帳號及密碼。我們想要政府網站全面使用理想的HTTPS,為了瞭解其中的阻礙,我們作了第一個有關臺灣政府網站使用HTTPS 的現況及安全強度的全面性調查。根據我們在2017 年6 月的調查結果,發現臺灣政府網站支援HTTPS的比例僅11.2% (122/1,089),遠低於美國政府網站的76% 及Alexa 排名前100 萬網站的45%;更糟的是,我們針對11 個TLS 攻擊方法對122 個支援HTTPS 的網站進行掃描,發現只有16% (19/122) 可以抵擋10 個以上的TLS 攻擊方法;另外在1,089 個臺灣政府網站中,有多達229 個網站存在著憑證失效的問題。這些問題將會降低使用者對網站的信任感。最後,我們設計並發放問卷,來調查臺灣政府網站不使用HTTPS 的原因。根據研究結果,我們提出了4 點建議給技術單位及政策決定者,希望能改善臺灣政府網站的安全性。 HTTPS is a fundamental security protocol that protects HTTP connections from a network adversary. Without HTTPS, the attacker can steal or manipulate users’sensitive information (e.g., passwords and cookies) during web browsing. Recognizing the importance of HTTPS, the White House issued a memorandum requiring that all U.S. federal websites and web services only provide service through HTTPS, and since then the HTTPS adoption rate of US federal domains has increased from 28% in July 2015 to 76% in June 2017. On the other hand, we observed that the Taiwan government websites often suffer from insufficient security, including lacking HTTPS or incorrect HTTPS configuration. For example, in June 2017, the Taipei City Government released a payment platform APP “pay.taipei”, whose first version unfortunately failed to protect the login page using HTTPS. To understand the obstacles toward an ideal HTTPS-everywhere deployment, we conducted the first comprehensive survey investigating the current HTTPS status on Taiwan government websites. Our investigation reveals that, as of June 2017, only 11.20% (122 out of 1,089) of Taiwan government websites support HTTPS, which is significantly lower than that of the U.S. government websites (76%) and the Alexa Top 1M websites (45% in April 2017). What’s worse, among those websites supporting HTTPS websites, only 16% (19 out of 122) websites are correctly configured so as to be fully immune to the 10 (out of 11) known attacks against HTTPS. Also, 21% (229 out of 1,089) websites present invalid certificates, which undermine users’ trust on the websites. To investigate the reasons why Taiwan government failed to correctly use HTTPS, we also designed and conducted a questionnaire. Based on the results of our study, we provide four recommendations to the technical community as well as the policy makers, and hope to shed light on the challenges of upgrading government websites. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/67013 |
DOI: | 10.6342/NTU201703018 |
全文授權: | 有償授權 |
顯示於系所單位: | 資訊工程學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-106-1.pdf 目前未授權公開取用 | 2.96 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。