CN106656455B - Website access method and device - Google Patents
Website access method and device Download PDFInfo
- Publication number
- CN106656455B CN106656455B CN201510407842.3A CN201510407842A CN106656455B CN 106656455 B CN106656455 B CN 106656455B CN 201510407842 A CN201510407842 A CN 201510407842A CN 106656455 B CN106656455 B CN 106656455B
- Authority
- CN
- China
- Prior art keywords
- certificate
- validity
- revocation list
- verified
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a website access method and a device, wherein the method comprises the following steps: acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website; selecting at least one preset inquiry channel, and sending a certificate verification request for verifying the validity of a certificate to a server corresponding to the inquiry channel, wherein a certificate revocation list representing a failed certificate is stored in the server corresponding to the inquiry channel; and receiving the validity state of the certificate fed back by the server, and selecting whether to access the target website according to the validity state of the certificate. The method and the device have the advantages that at least one query channel and the corresponding server are arranged, the invalid certificate list is stored in the server, the validity of the certificate of the target website to be accessed is determined through information interaction with the browser, whether the target website is accessed or not is further determined, and the safety of website access is improved.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a certificate management method and apparatus.
Background
With the development of the internet, people increasingly adopt networks to complete sensitive transactions, such as: internet banking, internet shopping, etc. Since these sensitive data need to be transmitted in the network, many new technologies have been invented to ensure data security and user privacy, among which digital certificates are one of them. The identity of the user and the identity of the server on the network are verified by means of digital certificates.
However, if a certificate is revoked by the certificate issuing authority within the validity period, or a security problem (such as the private key of the certificate is leaked) occurs, and the browser continues to trust the certificate if the corresponding information cannot be obtained in time, the security of the HTTPS may be attacked.
Disclosure of Invention
In view of this, the present application provides a certificate management method and apparatus, which are used to know the valid state of each website certificate in time during the browser access process, so as to improve the security of website access.
In order to achieve the above object, the following solutions are proposed:
a website access method is applied to a browser and comprises the following steps:
acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website;
selecting at least one preset inquiry channel, and sending a certificate verification request for verifying the validity of a certificate to a server corresponding to the inquiry channel, wherein a certificate revocation list representing a failed certificate is stored in the server corresponding to the inquiry channel;
and receiving the validity state of the certificate fed back by the server, and selecting whether to access the target website according to the validity state of the certificate.
A website access method is applied to a certificate management server and comprises the following steps:
receiving a certificate verification request which is sent by a browser and used for verifying the validity of a certificate, wherein the certificate verification request comprises the certificate to be verified;
reading a preset certificate revocation list, wherein the certificate revocation list is used for storing invalid certificates;
judging whether the certificate to be verified exists in the certificate revocation list, if so, determining that the validity state of the certificate to be verified is invalid, and if not, determining that the validity state of the certificate to be verified is valid;
and feeding back the validity state of the certificate to be verified to the browser so that the browser can select whether to continuously access the website according to the validity state of the certificate.
A website access device applied to a browser comprises:
the certificate acquisition unit is used for acquiring a certificate sent by a target website, and the certificate corresponds to the target website;
the system comprises a state query unit, a certificate revocation list generation unit and a certificate revocation list generation unit, wherein the state query unit is used for selecting at least one preset query channel and sending a certificate verification request for verifying the validity of a certificate to a server corresponding to the query channel, and the server corresponding to the query channel stores the certificate revocation list representing the invalid certificate;
and the access processing unit is used for receiving the validity state of the certificate fed back by the server and selecting whether to access the target website according to the validity state of the certificate.
A website access device applied to a server comprises:
the authentication request receiving unit is used for receiving a certificate authentication request which is sent by a browser and used for authenticating the validity of a certificate, wherein the certificate authentication request comprises a certificate to be authenticated;
a list reading unit configured to read a preset certificate revocation list, where the certificate revocation list is used to store a certificate that has failed;
a list query unit, configured to determine whether the certificate to be verified exists in the certificate revocation list;
a certificate status determining unit, configured to determine that the validity status of the certificate to be verified is invalid when the determination result of the list querying unit is yes, and determine that the validity status of the certificate to be verified is valid when the determination result of the list querying unit is no;
and the certificate state feedback unit is used for feeding back the validity state of the certificate to be verified to the browser so as to select whether to continuously access the website according to the validity state of the certificate.
According to the technical scheme, after the certificate sent by the target website is obtained, the preset at least one query channel is selected, the certificate verification request for verifying the validity of the certificate is sent to the server corresponding to the query channel, the server corresponding to the query channel stores a certificate revocation list representing invalid certificates, the validity state of the certificate fed back by the server is received, and whether the target website is accessed or not is selected according to the validity state of the certificate. The method comprises the steps of setting at least one query channel and a server corresponding to the query channel, storing a failure certificate list in the server, determining the validity of a certificate of a target website to be accessed through information interaction with a browser, further determining whether to access the target website, and improving the safety of website access.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a website access method disclosed in an embodiment of the present application;
FIG. 2 is a flowchart of another website accessing method disclosed in the embodiments of the present application;
FIG. 3 is a flowchart of another website accessing method disclosed in the embodiments of the present application;
FIG. 4 is a flowchart of another website accessing method disclosed in the embodiments of the present application;
fig. 5 is a schematic structural diagram of a website access apparatus disclosed in an embodiment of the present application;
fig. 6 is a schematic structural diagram of another website access apparatus disclosed in the embodiment of the present application;
FIG. 7 is a schematic structural diagram of a third status query subunit according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another website access apparatus disclosed in the embodiment of the present application;
fig. 9 is a schematic structural diagram of a list querying unit disclosed in an embodiment of the present application;
fig. 10 is a schematic structural diagram of another website access apparatus disclosed in the embodiment of the present application;
fig. 11 is a schematic diagram of a terminal hardware structure disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The application provides a website access method based on certificate verification, before a target website is accessed, the validity of a certificate of the website is verified, and when the certificate is invalid, the website is refused to be accessed. In order to implement the scheme of the present application, in this embodiment, at least one query channel and a server corresponding to the query channel are preset, and a list of certificate failures is collected and stored in the server.
The website access method provided by the embodiment of the application is based on a website access architecture, and the architecture comprises a browser, a local system, certificate authorities and a preset certificate management server. The browser determines the validity state of the certificate by inquiring the local system update file, determines the validity state of the certificate by communicating with a certificate issuing organization, determines the validity state of the certificate by communicating with a certificate management server, further comprehensively judges the validity states of the certificates determined by the three modes, and determines whether to access the target website.
The solution of the present application is first described from the perspective of a browser. Referring to fig. 1, fig. 1 is a flowchart of a website access method disclosed in an embodiment of the present application.
As shown in fig. 1, the method includes:
step S100, acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website;
specifically, when some websites are visited, the websites may be correspondingly provided with certificates, for example, websites of various banks and websites of some online shopping platforms are visited. When the website is accessed, the website sends the corresponding certificate to the user.
Step S110, selecting at least one preset inquiry channel, and sending a certificate verification request for verifying the validity of the certificate to a server corresponding to the inquiry channel;
and the server corresponding to the query channel stores a certificate revocation list representing the invalid certificate. According to the method and the device, various query channels can be preset, and each query channel is correspondingly provided with a server for storing the list of the certificate of failure.
And step S120, receiving the validity state of the certificate fed back by the server, and selecting whether to access the target website according to the validity state of the certificate.
Specifically, the server corresponding to the selected query channel queries the validity state of the certificate after receiving the request, and feeds back the result. In this step, whether to access the target website is determined according to the validity status of the received certificate. For example, when the certificate is determined to be a failed certificate, access to the target website may be optionally denied to ensure security.
According to the website access method provided by the embodiment of the application, after the certificate sent by the target website is obtained, at least one preset inquiry channel is selected, and a certificate verification request for verifying the validity of the certificate is sent to a server corresponding to the inquiry channel, wherein a certificate revocation list representing invalid certificates is stored in the server corresponding to the inquiry channel, the validity state of the certificate fed back by the server is received, and whether the target website is accessed or not is selected according to the validity state of the certificate. The method comprises the steps of setting at least one query channel and a server corresponding to the query channel, storing a failure certificate list in the server, determining the validity of a certificate of a target website to be accessed through information interaction with a browser, further determining whether to access the target website, and improving the safety of website access.
It should be explained that, for the acquired certificate sent by the target website, which includes all certificates corresponding to the website, the certificate and the parent certificate of the certificate are generally acquired in a recursive manner until the root certificate is acquired, and validity of the certificates needs to be verified.
Referring to fig. 2, fig. 2 is a flowchart of another website access method disclosed in the embodiment of the present application.
As shown in fig. 2, the method includes:
step S200, acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website;
specifically, when some websites are visited, the websites may be correspondingly provided with certificates, for example, websites of various banks and websites of some online shopping platforms are visited. When the website is accessed, the website sends the corresponding certificate to the user.
Step S210, inquiring a local system update file to determine the validity state of the certificate;
and recording a certificate revocation list representing a failed certificate in the local system update file.
Specifically, the operating system updates the list of revoked certificates on the system by updating the security patch, and adds the certificate with the validity status of invalid to the local system file. Accordingly, the validity of the certificate can be determined by querying the local system file.
Step S220, according to the OCSP protocol, sending a certificate verification request for verifying the validity of the certificate to the certificate authority;
wherein, the OCSP protocol is: online Certificate Status Protocol, Online Certificate Status Protocol. The presence certificate status protocol specifies the communication syntax. Specifically, the certificate validity verification request is sent to the certificate issuing authority according to the communication syntax specified by the OCSP protocol. Wherein the certificate authority records a certificate revocation list representing a certificate of revocation.
It should be noted that the OCSP protocol is generally used as a configurable item of the browser, and is not turned on by default or turned off by the user, and the user is required to turn on the OCSP protocol if the function is to be used. In addition, the OCSP protocol may not be accessible for network or server reasons.
Step S230, sending a certificate verification request for verifying the validity of the certificate to a preset certificate management server;
in which a certificate revocation list indicating a certificate of revocation is stored in a preset certificate management server. The acquired certificate of revocation may be stored in the certificate management server through various channels.
Step S240, receiving validity states of the certificate fed back by a local system, the certificate issuing authority and the certificate management server respectively;
the above steps S210 to S230 respectively send a certificate validity verification request to the local system, the certificate authority, and the certificate management server, and correspondingly receive information fed back by the local system, the certificate authority, and the certificate management server in this step.
Step S250, if it is determined that any one of the received three validity states is a failure state, denying access to the target website.
And in the last step, the certificate validity states fed back by the three steps are respectively received, and if any one of the three validity states is judged to be a failure state, the target website is refused to be accessed.
In the embodiment, three query channels are provided, the validity state of the certificate is determined by integrating the three query modes, and the safety of website access is improved.
It should be noted that the execution sequence of the above steps S210-S230 is not limited to that shown in fig. 2, and the three steps may be executed in parallel or in other sequences, which is not limited in this application.
Optionally, for the preset certificate management server, the maintenance personnel may update the certificate revocation list periodically, and update the latest state of the certificate in the certificate management server, so as to ensure the accuracy of subsequent certificate validity state determination according to the certificate management server.
It should be noted that, in the third query channel, when sending a certificate validity verification request to a preset certificate management server, in consideration of the problem of communication overhead, we may not send all information of a certificate to be verified to the certificate management server, but only send a fingerprint of the certificate (the fingerprint of the certificate is an inherent attribute that identifies a unique identity of the certificate) to the certificate management server.
Correspondingly, the certificate management server can also only store the fingerprint of the invalid certificate, and when the validity of the certificate is judged, only whether the fingerprint of the certificate to be verified is stored in the certificate revocation list needs to be searched, so that convenience is brought, and communication overhead is saved.
In another embodiment of the present application, we describe the scheme of the present application in the perspective of a certificate management server. Referring to fig. 3, fig. 3 is a flowchart of another website access method disclosed in the embodiment of the present application.
As shown in fig. 3, the method includes:
step S300, receiving a certificate verification request which is sent by a browser and used for verifying the validity of a certificate, wherein the certificate verification request comprises the certificate to be verified;
step S310, reading a preset certificate revocation list which is used for storing invalid certificates;
step S320, determining the validity status of the certificate to be verified by verifying whether the certificate to be verified is stored in the certificate revocation list;
specifically, whether the certificate to be verified exists in the certificate revocation list is judged, if yes, the validity state of the certificate to be verified is determined to be invalid, and if not, the validity state of the certificate to be verified is determined to be valid.
And step S330, feeding back the validity state of the certificate to be verified to the browser so that the browser can select whether to continue accessing the website according to the validity state of the certificate.
In this embodiment, a scheme is introduced from the perspective of the certificate management server, and the certificate management server determines the validity state of the certificate to be verified by querying a locally preset certificate revocation list indicating a certificate of failure, and feeds the validity state back to the browser, so that the browser can select whether to access a target website, and the security is improved.
It should be noted that only the fingerprint of the certificate of authenticity may be stored in the certificate management server. And the fingerprint of the certificate to be verified is carried in the certificate verification request sent by the browser. When the validity of the certificate is judged, only whether the fingerprint of the certificate to be verified is stored in the certificate revocation list is needed to be searched, if so, the certificate to be verified is determined to be a failed certificate, otherwise, the certificate to be verified is determined to be a valid certificate. This approach is both convenient and saves communication overhead.
On the basis of the above embodiment, the present embodiment further discloses another website access method, and referring to fig. 4, fig. 4 is a flowchart of another website access method disclosed in the embodiment of the present application.
As shown in fig. 4, the method includes:
step S400, receiving a certificate verification request which is sent by a browser and used for verifying the validity of a certificate, wherein the certificate verification request comprises the certificate to be verified;
step S410, reading a preset certificate revocation list, wherein the certificate revocation list is used for storing invalid certificates;
step S420, determining the validity status of the certificate to be verified by verifying whether the certificate to be verified is stored in the certificate revocation list;
specifically, whether the certificate to be verified exists in the certificate revocation list is judged, if yes, the validity state of the certificate to be verified is determined to be invalid, and if not, the validity state of the certificate to be verified is determined to be valid.
Step S430, feeding back the validity state of the certificate to be verified to the browser so that the browser can select whether to continue accessing the website according to the validity state of the certificate;
step S440, acquiring a certificate failure list issued by an operating system manufacturer and a security company according to a preset strategy;
and step S450, updating a certificate revocation list preset locally by using the certificate revocation list.
It is to be understood that the execution sequence of the steps S440 and S450 is not limited to the case shown in fig. 4, and may be located anywhere in the steps S400 to S430.
The predetermined policy may be acquisition time, for example, acquired once every predetermined time, or acquired in real time. For the operating system manufacturer, it may issue the revocation certificate list at irregular time, and for the terminal operating system, due to human reasons or network reasons, the update information may not be able to be obtained in time, and therefore the certificate revocation list stored locally may not be able to be updated in time. The certificate management server in the present embodiment effectively solves this problem. In addition, some security companies may also expose some insecure certificates, such as Kingshan antivirus, in addition to the operating system vendor. The certificate management server of this embodiment may also monitor and acquire a certificate revocation list published by a security company, and update the certificate revocation list with the certificate revocation list.
The following describes the website access device provided in the embodiments of the present application, and the website access device described below and the website access method described above may be referred to correspondingly.
The present application provides a website access apparatus, which is applied in a browser, as shown in fig. 5, the apparatus includes:
a certificate obtaining unit 51, configured to obtain a certificate sent by a target website, where the certificate corresponds to the target website;
a status query unit 52, configured to select at least one preset query channel, and send a certificate verification request for verifying the validity of a certificate to a server corresponding to the query channel, where a certificate revocation list indicating a certificate that has failed is stored in the server corresponding to the query channel;
and the access processing unit 53 is configured to receive the validity state of the certificate fed back by the server, and select whether to access the target website according to the validity state of the certificate.
Optionally, fig. 6 illustrates another structure of the website access apparatus of the present application, as shown in fig. 6, wherein the status query unit 52 may include:
a first status query subunit 521, configured to query a local system update file to determine the validity status of the certificate, where a certificate revocation list indicating a certificate that is invalid is recorded in the local system update file;
a second status query subunit 522, configured to send, according to an OCSP protocol (Online Certificate status protocol), a Certificate verification request for verifying validity of a Certificate to the Certificate authority, where the Certificate authority records a Certificate revocation list indicating a Certificate revocation failure;
a third status query subunit 523, configured to send a certificate verification request for verifying the validity of a certificate to a preset certificate management server, where a certificate revocation list indicating a certificate that has failed is stored in the certificate management server;
the access processing unit 53 may include:
a validity state receiving unit 531, configured to receive validity states of the certificate, which are fed back by the local system, the certificate authority, and the certificate management server respectively;
a validity state determination unit 532, configured to deny access to the target website when any one of the received three validity states is determined to be a failure state.
Optionally, the certificate revocation list stored in the certificate management server is stored according to a fingerprint of a certificate, and as shown in fig. 7, the third status query subunit 523 may include:
a fingerprint querying unit 5231, configured to send a certificate validity verification request carrying a fingerprint of the certificate to a preset certificate management server.
The website access device provided by the embodiment of the application selects at least one preset inquiry channel after acquiring the certificate sent by the target website, and sends the certificate verification request for verifying the certificate validity to the server corresponding to the inquiry channel, wherein the server corresponding to the inquiry channel stores a certificate revocation list representing invalid certificates, receives the validity state of the certificate fed back by the server, and selects whether to access the target website according to the validity state of the certificate. The device is provided with at least one query channel and a server corresponding to the query channel, stores the invalid certificate list in the server, determines the validity of the certificate of the target website to be accessed through information interaction with the browser, further determines whether to access the target website, and improves the safety of website access.
The present application further provides a website access apparatus, which is applied to a certificate management server, and as shown in fig. 8, the apparatus includes:
a verification request receiving unit 81, configured to receive a certificate verification request sent by a browser and used for verifying the validity of a certificate, where the certificate verification request includes a certificate to be verified;
a list reading unit 82 configured to read a preset certificate revocation list, where the certificate revocation list is used to store a certificate that has failed;
a list querying unit 83, configured to determine whether the certificate to be authenticated exists in the certificate revocation list;
a certificate status determining unit 84, configured to determine that the validity status of the certificate to be verified is invalid when the determination result of the list querying unit 83 is yes, and determine that the validity status of the certificate to be verified is valid when the determination result of the list querying unit 83 is no;
and the certificate state feedback unit 85 is configured to feed back the validity state of the certificate to be verified to the browser, so that the browser can select whether to continue to access the website according to the validity state of the certificate.
Optionally, if the certificate authentication request received by the authentication request receiving unit 81 includes a fingerprint of a certificate to be authenticated, and the fingerprint of a certificate revocation list stored in the certificate revocation list is a fingerprint of a certificate that is invalid, as shown in fig. 9, the list querying unit 83 may include:
the first list querying subunit 831 is configured to determine whether a fingerprint of a certificate to be authenticated exists in the certificate revocation list.
Optionally, fig. 10 illustrates another structure of the website access apparatus of the present application, and as can be seen from fig. 8 and 10, the apparatus may further include:
a certificate revocation monitoring unit 86, configured to obtain a certificate revocation list issued by an operating system manufacturer and a security company according to a predetermined policy;
a list updating unit 87, configured to update a locally preset certificate revocation list with the revoked certificate list.
The website access device is applied to the certificate management server, the preset certificate revocation list is inquired by receiving the certificate verification request of the certificate to be verified sent by the browser, the validity of the certificate to be verified is further determined and fed back to the browser end, and if the certificate to be verified is determined to be a failed certificate, the browser end can selectively refuse to access the target website, so that the safety is improved.
The embodiment of the application also provides a terminal, which can carry out website access control, such as a tablet computer and the like; the terminal may include the above website access device, and the description of the website access device may refer to the description of the corresponding part above, which is not described herein again.
The hardware structure of the terminal provided in the embodiment of the present application is described below, and the following description refers to the corresponding parts above for the parts related to the call website access method. Fig. 11 is a schematic diagram of a hardware structure of a terminal according to an embodiment of the present application, and referring to fig. 11, the terminal may include:
a processor 1, a communication interface 2, a memory 3, a communication bus 4, and a display screen 5;
the processor 1, the communication interface 2, the memory 3 and the display screen 5 are communicated with each other through a communication bus 4;
optionally, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module;
a processor 1 for executing a program;
a memory 3 for storing a program;
the program may include program code including operating instructions of the processor.
The processor 1 may be a central processing unit CPU or an application specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present application.
The memory 3 may comprise a high-speed RAM memory, and may further comprise a non-volatile memory (non-volatile memory), such as at least one disk memory.
Among them, the procedure can be specifically used for:
acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website;
selecting at least one preset inquiry channel, and sending a certificate verification request for verifying the validity of a certificate to a server corresponding to the inquiry channel, wherein a certificate revocation list representing a failed certificate is stored in the server corresponding to the inquiry channel;
and receiving the validity state of the certificate fed back by the server, and selecting whether to access the target website according to the validity state of the certificate.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A website access method is applied to a browser, and comprises the following steps:
acquiring a certificate sent by a target website, wherein the certificate corresponds to the target website;
sending a certificate verification request carrying a fingerprint of the certificate and used for verifying the validity of the certificate to a preset certificate management server, wherein a certificate revocation list representing a certificate revocation fingerprint is stored in the certificate management server, and the certificate management server acquires the fingerprint of the certificate revocation through various channels and updates the certificate revocation list according to the acquired certificate revocation;
inquiring a local system update file to determine the validity state of the certificate, wherein a certificate revocation list representing a certificate of failure is recorded in the local system update file, and the certificate revocation list on the local system is updated in a mode of updating a security patch;
and receiving the validity states of the certificates fed back by the certificate management server and the local system respectively, and selecting whether to access the target website according to the validity states of the certificates fed back by the certificate management server and the local system.
2. The method of claim 1, further comprising:
according to an OCSP (Online Certificate Status Protocol), sending a Certificate verification request for verifying the validity of a Certificate to a Certificate authority, wherein the Certificate authority records a Certificate revocation list indicating a failed Certificate;
receiving a validity status of the certificate fed back by an authority of the certificate;
and if the received validity state is determined to be the invalid state, refusing to access the target website.
3. A website access method, applied to a certificate management server, the method comprising:
receiving a certificate verification request which is sent by a browser and carries a fingerprint of a certificate and is used for verifying the validity of the certificate;
reading a preset certificate revocation list, wherein the certificate revocation list is used for storing invalid certificates, and the certificate management server acquires the invalid certificates through various channels and updates the certificate revocation list according to the acquired invalid certificates; the certificate verification request comprises a fingerprint of a certificate to be verified, and the fingerprint of a certificate to be invalidated is stored in the certificate revocation list;
judging whether the fingerprint of the certificate to be verified exists in the certificate revocation list, if so, determining that the certificate to be verified exists in the certificate revocation list, and if not, determining that the certificate to be verified does not exist in the certificate revocation list;
feeding back the validity state of the certificate to be verified to the browser, so that the browser selects whether to continue accessing the website according to the validity state of the certificate to be verified fed back by the certificate management server and the validity state of the certificate to be verified acquired by the browser from the local system, wherein the acquisition process of the validity state of the certificate to be verified acquired by the browser from the local system comprises the following steps: the browser queries a local system update file to determine the validity state of the certificate, wherein a certificate revocation list representing a certificate of failure is recorded in the local system update file, and the certificate revocation list on the local system is updated in a manner of updating a security patch.
4. The method of claim 3, further comprising:
acquiring a failure certificate list issued by an operating system manufacturer and a security company according to a preset strategy;
and updating a certificate revocation list preset locally by using the certificate revocation list.
5. A website access apparatus, applied to a browser, the apparatus comprising:
the certificate acquisition unit is used for acquiring a certificate sent by a target website, and the certificate corresponds to the target website;
the certificate management server is used for acquiring the fingerprint of the certificate of failure through various channels and updating the certificate revocation list according to the acquired certificate of failure; inquiring a local system update file to determine the validity state of the certificate, wherein a certificate revocation list representing a certificate of failure is recorded in the local system update file, and the certificate revocation list on the local system is updated in a mode of updating a security patch;
and the access processing unit is used for receiving the validity states of the certificates fed back by the certificate management server and the local system respectively and selecting whether to access the target website according to the validity states of the certificates fed back by the certificate management server and the local system.
6. The apparatus of claim 5, wherein the status query unit comprises:
a second Status query subunit, configured to send a Certificate verification request for verifying validity of a Certificate to an authority of the Certificate according to an OCSP (Online Certificate Status Protocol), where a Certificate revocation list indicating a Certificate that has failed is recorded in the Certificate authority;
the access processing unit includes:
a validity state receiving unit configured to receive a validity state of the certificate fed back by an issuing authority of the certificate;
and the validity state judging unit is used for refusing to access the target website when the received validity state is determined to be a failure state.
7. A website access device, applied to a server, the device comprising:
the authentication request receiving unit is used for receiving a certificate authentication request which carries a fingerprint of a certificate and is used for authenticating the validity of the certificate and is sent by the browser;
the certificate revocation list reading unit is used for reading a preset certificate revocation list, storing invalid certificates, acquiring the invalid certificates through various channels and updating the certificate revocation list according to the acquired invalid certificates; the certificate verification request received by the verification request receiving unit comprises a fingerprint of a certificate to be verified, and the fingerprint of a failed certificate is stored in the certificate revocation list;
a list query unit, configured to determine whether a fingerprint of a certificate to be verified exists in the certificate revocation list;
a certificate status determining unit, configured to determine that the validity status of the certificate to be verified is invalid when the determination result of the list querying unit is yes, and determine that the validity status of the certificate to be verified is valid when the determination result of the list querying unit is no;
a certificate state feedback unit, configured to feed back the validity state of the certificate to be verified to a browser, so that the browser selects whether to continue accessing a website according to the validity state of the certificate to be verified, which is fed back by the certificate management server, and the validity state of the certificate to be verified, which is obtained by the browser from a local system, where an obtaining process of the validity state of the certificate to be verified, which is obtained by the browser from the local system, includes: the browser queries a local system update file to determine the validity state of the certificate, wherein a certificate revocation list representing a certificate of failure is recorded in the local system update file, and the certificate revocation list on the local system is updated in a manner of updating a security patch.
8. The apparatus of claim 7, further comprising:
the certificate failure monitoring unit is used for acquiring a certificate failure list issued by an operating system manufacturer and a security company according to a preset strategy;
and the list updating unit is used for updating a certificate revocation list preset locally by using the invalid certificate list.
9. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out a method of website access according to any one of claims 1 to 2 above and/or a method of website access according to any one of claims 3 to 4 above.
10. A terminal device, comprising:
a processor and a memory;
the processor is used for calling and executing the program stored in the memory;
the memory is configured to store the program, the program at least to: implementing a website access method according to any one of the preceding claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407842.3A CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407842.3A CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656455A CN106656455A (en) | 2017-05-10 |
| CN106656455B true CN106656455B (en) | 2020-11-03 |
Family
ID=58815004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510407842.3A Active CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656455B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107508682A (en) * | 2017-08-16 | 2017-12-22 | 努比亚技术有限公司 | Browser certificate authentication method and mobile terminal |
| CN108092777B (en) * | 2017-12-26 | 2021-08-24 | 北京奇虎科技有限公司 | Method and device for supervising digital certificate |
| CN109921910A (en) * | 2019-03-21 | 2019-06-21 | 平安科技(深圳)有限公司 | Verification method and device, storage medium, the electronic device of certificate status |
| CN111291369B (en) * | 2020-01-20 | 2022-05-20 | 北京无限光场科技有限公司 | Information detection method and electronic equipment |
| CN114143034A (en) * | 2021-11-01 | 2022-03-04 | 清华大学 | Network access security detection method and device |
| CN116455633B (en) * | 2023-04-17 | 2024-01-30 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
| CN116827648A (en) * | 2023-07-07 | 2023-09-29 | 亚数信息科技(上海)有限公司 | Website effectiveness detection method, device, equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
| CN102647394A (en) * | 2011-02-16 | 2012-08-22 | 中兴通讯股份有限公司 | Routing device identity authentication method and routing device identity authentication device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212465B (en) * | 2006-12-26 | 2011-10-26 | 中兴通讯股份有限公司 | Method for authenticating validity of IKE V2 certificate |
| CN102111378A (en) * | 2009-12-25 | 2011-06-29 | 上海格尔软件股份有限公司 | Signature verification system |
| CN101848218A (en) * | 2010-05-14 | 2010-09-29 | 山东泰信电子有限公司 | Method for secure access of Internet television terminal to Internet |
| CN102571770B (en) * | 2011-12-27 | 2015-02-04 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
-
2015
- 2015-07-13 CN CN201510407842.3A patent/CN106656455B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
| CN102647394A (en) * | 2011-02-16 | 2012-08-22 | 中兴通讯股份有限公司 | Routing device identity authentication method and routing device identity authentication device |
Non-Patent Citations (1)
| Title |
|---|
| 基于 OCSP 协议的证书状态查询系统;陈亨斌;《微计算机信息》;20060630;正文第3节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656455A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106656455B (en) | Website access method and device | |
| EP3905078A1 (en) | Identity verification method and system therefor | |
| CN108737418B (en) | Identity authentication method and system based on block chain | |
| CN100593166C (en) | Portable computing environment | |
| US11212283B2 (en) | Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications | |
| US9553858B2 (en) | Hardware-based credential distribution | |
| US8417964B2 (en) | Software module management device and program | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| CN111079091A (en) | Software security management method and device, terminal and server | |
| CN111917773A (en) | Service data processing method and device and server | |
| JP2016524248A (en) | Method and system for protecting identity information from theft or copying | |
| EP2622534B1 (en) | Trustworthy device claims as a service | |
| WO2012117253A1 (en) | An authentication system | |
| CN108335105B (en) | Data processing method and related equipment | |
| CN109196891B (en) | Method, terminal and server for managing subscription data set | |
| CN107733853B (en) | Page access method, device, computer and medium | |
| CN112069493A (en) | Authentication system and authentication method | |
| CN109842616B (en) | Account binding method and device and server | |
| CN112651001A (en) | Access request authentication method, device, equipment and readable storage medium | |
| US11582232B2 (en) | Authority transfer system, server and method of controlling the server, and storage medium | |
| CN111475823A (en) | Data sharing method, equipment, server and readable storage medium | |
| WO2016115759A1 (en) | Method for logging in website, server, client and peripheral | |
| CN111800273A (en) | Information processing method, electronic device, and storage medium | |
| CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
| US20080046750A1 (en) | Authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |