HTTPS-Only 标准 已翻译 100%

oschina 投递于 2015/03/19 07:49 (共 13 段, 翻译完成于 03-31)
阅读 7787
收藏 50
1
加载中

The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.

This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.

We encourage your feedback and suggestions.

已有 1 人翻译此段
我来翻译

Goal

All publicly accessible Federal websites and web services [1] only provide service over a secure connection. The strongest privacy protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).

Background

The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection.

已有 1 人翻译此段
我来翻译

Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.

The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

已有 1 人翻译此段
我来翻译

All browsing activity should be considered private and sensitive.

An HTTPS-Only standard will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.

Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards.  This leaves Americans vulnerable to known threats, and reduces their confidence in their government.  Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area.  The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.

已有 1 人翻译此段
我来翻译

What HTTPS Does

HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit.

HTTPS is a protocol that uses HTTP over a connection secured with Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network.

Browsers and other HTTPS clients are configured to trust a set of certificate authorities [2] that can issue cryptographically signed certificates on behalf of web service owners. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service.

已有 1 人翻译此段
我来翻译

What HTTPS Doesn’t Do

HTTPS has several important limitations.

IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size of requested resources or submitted information.

HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user’s system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker’s control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities.

已有 1 人翻译此段
我来翻译

Challenges and Considerations

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency. Websites whose content delivery networks or server software support the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved overall as a result of migrating to HTTPS.

Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use of IP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency.

已有 1 人翻译此段
我来翻译

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APIs and Services: Web services that serve primarily non-browser clients, such as web APIs, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

已有 1 人翻译此段
我来翻译

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to configuration and replacement of certificates.

Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS going forward. This reduces insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a “preload list” used by all major browsers to ensure the HSTS policy is in effect at all times.

Domain Name System Security (DNSSEC): This proposal does not rescind or conflict with M-08-23, “Securing the Federal Government’s Domain Name System Infrastructure”. Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security.

已有 1 人翻译此段
我来翻译

Cost Effective Implementation

Implementing an HTTPS-only standard does not come without cost. A significant number of Federal websites have already deployed HTTPS. The goal of this proposal is to increase that adoption.

The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.

已有 1 人翻译此段
我来翻译
本文中的所有译文仅用于学习和交流目的,转载请务必注明文章译者、出处、和本文链接。
我们的翻译工作遵照 CC 协议,如果我们的工作有侵犯到您的权益,请及时联系我们。
加载中

评论(19)

-飞客-
-飞客-

引用来自“Modelica云”的评论

中国人民说什么?

引用来自“Desolate”的评论

中国人民只是希望政府网站支持ie6以上以及其他浏览器

引用来自“好独特”的评论

支持非IE浏览器,能正常访问,能找到想想的东西,别整一堆没用的新闻挂首页,想办个业务都不知道去哪个菜单里找。
就是不想让你 找到有用的东西.才那么做的
理工小强
理工小强

引用来自“Modelica云”的评论

中国人民说什么?

引用来自“Desolate”的评论

中国人民只是希望政府网站支持ie6以上以及其他浏览器
要求太高了 没让你用IE1.0 就不错了
Crazy罗小杰
Crazy罗小杰
人民万岁
开心613
开心613

引用来自“SupNatural”的评论

美国人民希望政府网站是安全的
美国政府希望人民网站是不安全的
人民这个词不对,应该是民众
好独特
好独特

引用来自“Modelica云”的评论

中国人民说什么?

引用来自“Desolate”的评论

中国人民只是希望政府网站支持ie6以上以及其他浏览器
支持非IE浏览器,能正常访问,能找到想想的东西,别整一堆没用的新闻挂首页,想办个业务都不知道去哪个菜单里找。
fly2xiang
fly2xiang

引用来自“JacarriChan”的评论

有CNNIC在,再多的https都是浮云。。

引用来自“G.”的评论

+2

引用来自“yizhilong”的评论

安装系统第一件事--本地直接删除cnnic

引用来自“David_Lee_”的评论

那12306就不能用了吧
12306用的是自签名证书
David_Lee_
David_Lee_

引用来自“JacarriChan”的评论

有CNNIC在,再多的https都是浮云。。

引用来自“G.”的评论

+2

引用来自“yizhilong”的评论

安装系统第一件事--本地直接删除cnnic
那12306就不能用了吧
y
yizhilong

引用来自“JacarriChan”的评论

有CNNIC在,再多的https都是浮云。。

引用来自“G.”的评论

+2
安装系统第一件事--本地直接删除cnnic
灵魂架构师
灵魂架构师
麻痹的只要SSL证书多个无保险的免费版只用来加密连接的用的就多了,不然白瞎!
Jiazz
Jiazz
翻译的第一句~~觉得是用软件翻译的吧~额
返回顶部
顶部