CN106656455A - Website access method and device - Google Patents
Website access method and device Download PDFInfo
- Publication number
- CN106656455A CN106656455A CN201510407842.3A CN201510407842A CN106656455A CN 106656455 A CN106656455 A CN 106656455A CN 201510407842 A CN201510407842 A CN 201510407842A CN 106656455 A CN106656455 A CN 106656455A
- Authority
- CN
- China
- Prior art keywords
- certificate
- validity
- state
- failure
- revocation list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a website access method and a device. The method comprises the steps of obtaining a certificate sent from a target website, wherein the certificate corresponds to the target website; selecting at least one preset query channel, and sending a certificate verification request to a server corresponding to the query channel, wherein the certificate verification request is used for verifying the validity of the certificate, and a certificate revocation list for representing invalid certificates is stored inside the server corresponding to the query channel; receiving the validity state of the certificate from the server, and determining whether to visit the website or not according to the validity state of the certificate. According to the invention, at least one query channel and a server corresponding to the query channel are arranged. Meanwhile, a list of invalid certificates is stored in the server. The validity of the certificate of the to-be-accessed target website is determined through the information interaction with a browser. Furthermore, whether to access the target website or not is determined. Therefore, the security of the website access is improved.
Description
Technical field
The application is related to Internet technical field, more particularly, it relates to a kind of certificate management method and dress
Put.
Background technology
With the development of the Internet, people more and more complete some sensitive offices using network
Reason, for example:Web bank, shopping online etc..Because these sensitive datas need to carry out in a network
Transmission, in order to guarantee data security and privacy of user, people have invented many new techniques, wherein numeral card
Book is exactly one of them.The identity of server on user identity and network is verified by digital certificate.
But, if a certificate is cancelled before the deadline by certificate issuance mechanism, or there is safe asking
Topic (private key of such as certificate is compromised), and if browser can not in time obtain corresponding information, continuation
If trusting the certificate, the safety of HTTPS may be under attack.
The content of the invention
In view of this, this application provides a kind of certificate management method and device, in browser access
During, the effective status of each website certificate is understood in time, improve the safety of website visiting.
To achieve these goals, it is proposed that scheme it is as follows:
A kind of Website access method, is applied to browser, and the method includes:
The certificate that targeted website sends is obtained, the certificate is corresponding with the targeted website;
At least one preset inquiry channel is chosen, is sent for verifying to the corresponding server of inquiry channel
The certification verification request of certificate validity, wherein, be stored with expression in server corresponding with inquiry channel
The certificate revocation list of failure certificate;
The state of validity of the certificate of the reception server feedback, and according to the effective character of the certificate
State chooses whether to access the targeted website.
A kind of Website access method, is applied to certificate management server, and the method includes:
Receive the certification verification request for verifying certificate validity that browser sends, the certification authentication
Request bag contains certificate to be verified;
Preset certificate revocation list is read, the certificate revocation list is used for the certificate of storage failure;
Judge in the certificate revocation list with the presence or absence of the certificate to be verified, if so, determine described
The state of validity of certificate to be verified is failure, if it is not, determining the state of validity of the certificate to be verified
For effective;
The state of validity of the certificate to be verified is fed back to into browser, it is effective according to the certificate for it
Character state chooses whether to continue to access website.
A kind of website visiting device, is applied to browser, and the device includes:
Certificate acquisition unit, for obtaining the certificate of targeted website transmission, the certificate and the target network
Stand corresponding;
Status poll unit, it is corresponding to inquiry channel for choosing at least one preset inquiry channel
Server sends the certification verification request for verifying certificate validity, wherein, it is corresponding with inquiry channel
It is stored with server and represents the certificate revocation list of failure certificate;
Access process unit, for the state of validity of the certificate of the reception server feedback, and according to
The state of validity of the certificate chooses whether to access the targeted website.
A kind of website visiting device, is applied to server, and the device includes:
Checking request receiving unit, for receiving the certificate for verifying certificate validity of browser transmission
Checking request, the certification verification request includes certificate to be verified;
List reading unit, for reading preset certificate revocation list, the certificate revocation list is used for
The certificate of storage failure;
List query unit, for judging to whether there is the card to be verified in the certificate revocation list
Book;
Certificate status determining unit, for when the list query unit judges result is to be, determining institute
The state of validity for stating certificate to be verified is failure, when the list query unit judges result is no,
The state of validity for determining the certificate to be verified is effective;
Certificate status feedback unit, for the state of validity of the certificate to be verified to be fed back to into browser,
So that it chooses whether to continue to access website according to the certificate validity status.
It can be seen from above-mentioned technical scheme that, the Website access method that the embodiment of the present application is provided is being obtained
After taking the certificate of targeted website transmission, at least one preset inquiry channel is chosen, to inquiry channel correspondence
Server send certification verification request for verifying certificate validity, wherein, it is corresponding with inquiry channel
Server in be stored with represent failure certificate certificate revocation list, the reception server feedback the card
The state of validity of book, and chosen whether to access the targeted website according to the state of validity of the certificate.
The present processes, are provided with least one inquiry channel and its corresponding server, and in the server
Storage failure list of cert, by information interaction with browser determine will access target website certificate
Effectiveness, and then decide whether access target website, to improve the safety of website visiting.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to reality
Apply the accompanying drawing to be used needed for example or description of the prior art to be briefly described, it should be apparent that, below
Accompanying drawing in description is only embodiments herein, for those of ordinary skill in the art, not
On the premise of paying creative work, can be with according to the other accompanying drawings of accompanying drawing acquisition for providing.
Fig. 1 is a kind of Website access method flow chart disclosed in the embodiment of the present application;
Fig. 2 is another kind of Website access method flow chart disclosed in the embodiment of the present application;
Fig. 3 is another Website access method flow chart disclosed in the embodiment of the present application;
Fig. 4 is another Website access method flow chart disclosed in the embodiment of the present application;
Fig. 5 is a kind of website visiting apparatus structure schematic diagram disclosed in the embodiment of the present application;
Fig. 6 is another kind of website visiting apparatus structure schematic diagram disclosed in the embodiment of the present application;
Fig. 7 is that a kind of third state inquires about sub-unit structure schematic diagram disclosed in the embodiment of the present application;
Fig. 8 is another website visiting apparatus structure schematic diagram disclosed in the embodiment of the present application;
Fig. 9 is a kind of list query cellular construction schematic diagram disclosed in the embodiment of the present application;
Figure 10 is another website visiting apparatus structure schematic diagram disclosed in the embodiment of the present application;
Figure 11 is a kind of terminal hardware structural representation disclosed in the embodiment of the present application.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out
Clearly and completely describe, it is clear that described embodiment is only some embodiments of the present application, and
It is not all, of embodiment.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
This application provides a kind of Website access method based on certification authentication, before access target website,
The effectiveness of the certificate of the website is first verified, denied access website in its Certificate Revocation.In order to realize
The scheme of the application, pre-sets at least one inquiry channel, and its corresponding service in the present embodiment
Device, collects in the server and stores the list of failure certificate.
The Website access method that the embodiment of the present application is provided is based on a kind of website visiting framework, and the framework includes
Browser, local system, each certification authority and preset certificate management server.Browser leads to
Cross inquiry local system more new file determine certificate validity status communicate with certification authority determination card
Book the state of validity communicates with certificate management server and determines certificate validity status, and then comprehensive descision
The state of validity of certificate, decides whether access target website determined by three kinds of modes.
First the scheme of the application is introduced from the angle of browser.Referring to Fig. 1, Fig. 1 is the application
A kind of Website access method flow chart disclosed in embodiment.
As shown in figure 1, the method includes:
Step S100, the certificate for obtaining targeted website transmission, the certificate is corresponding with the targeted website;
Specifically, when some websites are accessed, these websites may be correspondingly arranged on certificate, for example, access
Each big bank website and some net purchase platform websites.When website visiting is carried out, website can will be corresponding
Certificate is sent to user.
At least one preset inquiry channel of step S110, selection, sends out to the corresponding server of inquiry channel
Send the certification verification request for verifying certificate validity;
Wherein, it is stored with server corresponding with inquiry channel and represents the certificate revocation list of failure certificate.
Various inquiry channels can be pre-set in the application, every kind of inquiry channel is correspondingly arranged on server,
For the list of storage failure certificate.
The state of validity of step S120, the certificate of the reception server feedback, and according to the certificate
The state of validity choose whether to access the targeted website.
Specifically, the selected corresponding server of inquiry channel can inquire about upon receiving a request the card
The state of validity of book, and result is fed back.According to the effective character of the certificate for receiving in this step
State, it is determined whether access target website.For example, when it is determined that certificate is failure certificate, can select to refuse
Exhausted access target website, to ensure safety.
The Website access method that the embodiment of the present application is provided, after the certificate that targeted website sends is obtained, choosing
At least one preset inquiry channel is taken, is sent for verifying that certificate has to the corresponding server of inquiry channel
The certification verification request of effect property, wherein, be stored with expression failure card in server corresponding with inquiry channel
The certificate revocation list of book, the state of validity of the certificate of the reception server feedback, and according to described
The state of validity of certificate chooses whether to access the targeted website.The present processes, are provided with least
One inquiry channel and its corresponding server, and in the server storage failure list of cert, by with
The information interaction of browser determine will access target website certificate effectiveness, and then decide whether to visit
Targeted website is asked, the safety of website visiting is improve.
It is to be understood that for the certificate of the targeted website transmission for obtaining, that includes and the website pair
The all certificates answered, generally by the mode of recurrence father's certificate of certificate and certificate is obtained, until obtaining
Till root certificate, for these certificates are required to carry out the checking of effectiveness.
Referring to Fig. 2, Fig. 2 is another kind of Website access method flow chart disclosed in the embodiment of the present application.
As shown in Fig. 2 the method includes:
Step S200, the certificate for obtaining targeted website transmission, the certificate is corresponding with the targeted website;
Specifically, when some websites are accessed, these websites may be correspondingly arranged on certificate, for example, access
Each big bank website and some net purchase platform websites.When website visiting is carried out, website can will be corresponding
Certificate is sent to user.
Step S210, inquiry local system more new file, to determine the state of validity of the certificate;
Wherein, record has the certificate revocation list for representing failure certificate in the local system more new file.
Specifically, operating system can be by way of renewal security patch come the cancellation of doucment in more new system
List, the certificate that the state of validity is failure is added in local system file.Accordingly, the application can
To determine the effectiveness of certificate by inquiring about local system file.
Step S220, according to OCSP protocol, send for verifying certificate to the issuing organization of the certificate
The certification verification request of effectiveness;
Wherein, OCSP protocol is:Online Certificate Status Protocol, online certificate status association
View.Online certificate status protocol defines communication grammer.The communication language for specially specifying according to OCSP protocol
The issuing organization of certificate described in normal direction sends the certificate validity checking request.Wherein, the certificate is issued
Sending out mechanism's record has the certificate revocation list for representing failure certificate.
It should be noted that a configurable item of the OCSP protocol generally as browser, gives tacit consent to and does not open
Or be closed by the user, to need user to open using the function.Additionally, OCSP protocol be also possible to because
For network or server the reason for, it is impossible to access.
Step S230, the certificate sent for verifying certificate validity to preset certificate management server are tested
Card request;
It is stored with wherein preset certificate management server and represents the certificate revocation list of failure certificate.Can
With through various channels by the failure certificate for getting storage in certificate management server.
Step S240, reception local system, the issuing organization of the certificate and the certificate management server
The state of validity of the certificate of each self feed back of three;
Above-mentioned steps S210-S230 are respectively to local system, certification authority and certificate management server
Certificate validity checking request is have sent, corresponding reception three's feedack in this step.
Step S250, if it is determined that receive three the state of validity in, any one the state of validity for lose
Effect state, then targeted website described in denied access.
The certificate validity status of three's feedback are have received in previous step respectively, for three effective characters
State, if judging, wherein any one the state of validity is failure state, targeted website described in denied access.
Three kinds of inquiry channels are provided in the present embodiment, by three kinds of inquiry modes of summary card is determined
The state of validity of book, improves the safety of website visiting.
It should be noted that the execution sequence of above-mentioned steps S210-S230 is not limited to shown in Fig. 2,
Three steps can be performed parallel or in other sequences, and this application is not defined.
Optionally, for preset certificate management server, certificate can periodically be carried out by attendant and is removed
The renewal of pin list, the last state of certificate is updated in certificate management server, after guarantee
The continuous accuracy that certificate validity status determination is carried out according to certificate management server.
It should be noted that in above-mentioned the third inquiry channel, sending out to preset certificate management server
When sending certificate validity checking request, it is contemplated that the problem of communication overhead, we can not be by card to be verified
The full detail of book all issues certificate management server, and only by the fingerprint of certificate, (fingerprint of certificate is
The build-in attribute of identity certificate unique identities) it is sent to certificate management server.
Correspondingly, the fingerprint of failure certificate can also be only stored in certificate management server, card is being judged
During book effectiveness, it is thus only necessary to search and the fingerprint of certificate still to be tested whether is stored in certificate revocation list i.e.
Can, not only facilitated but also saved communication overhead.
In another embodiment of the application, we are with the angle of certificate management server to the application's
Scheme is introduced.Referring to Fig. 3, Fig. 3 is another Website access method stream disclosed in the embodiment of the present application
Cheng Tu.
As shown in figure 3, the method includes:
Step S300, the certification verification request for verifying certificate validity for receiving browser transmission, institute
Certification verification request is stated comprising certificate to be verified;
The preset certificate revocation list of step S310, reading, the certificate revocation list is used to store failure
Certificate;
Step S320, by verifying whether the certificate to be verified is stored in the certificate revocation list,
Determine the state of validity of certificate to be verified;
Specifically, judge to whether there is the certificate to be verified in the certificate revocation list, if so,
The state of validity for determining the certificate to be verified is failure, if it is not, determining having for the certificate to be verified
Effect character state is effective.
Step S330, the state of validity of the certificate to be verified is fed back to into browser, for its basis
The certificate validity status choose whether to continue to access website.
The present embodiment is described from the angle of certificate management server to scheme, certificate management server
By the certificate revocation list of the local preset expression failure certificate of inquiry, the effective of certificate to be verified is determined
Character state, and then browser is fed back to, so that browser chooses whether access target website, improve peace
Quan Xing.
It should be noted that can only store the fingerprint of failure certificate in certificate management server.And
In the certification verification request that browser end is sended over, carrying be certificate to be verified fingerprint.Judging
During certificate validity, it is thus only necessary to search the fingerprint that certificate still to be tested whether is stored in certificate revocation list,
If having, it is determined that certificate to be verified is failure certificate, otherwise, it determines certificate to be verified is valid certificate.
This mode had not only facilitated but also had saved communication overhead.
On the basis of a upper embodiment, the present embodiment further discloses another Website access method, ginseng
See that Fig. 4, Fig. 4 are another Website access method flow chart disclosed in the embodiment of the present application.
As shown in figure 4, the method includes:
Step S400, the certification verification request for verifying certificate validity for receiving browser transmission, institute
Certification verification request is stated comprising certificate to be verified;
The preset certificate revocation list of step S410, reading, the certificate revocation list is used to store failure
Certificate;
Step S420, by verifying whether the certificate to be verified is stored in the certificate revocation list,
Determine the state of validity of certificate to be verified;
Specifically, judge to whether there is the certificate to be verified in the certificate revocation list, if so,
The state of validity for determining the certificate to be verified is failure, if it is not, determining having for the certificate to be verified
Effect character state is effective.
Step S430, the state of validity of the certificate to be verified is fed back to into browser, for its basis
The certificate validity status choose whether to continue to access website;
Step S440, the failure card issued according to predetermined policy, acquisition operating system manufacturer and security firm
Book list;
Step S450, local preset certificate revocation list is updated using the failure list of cert.
It is understood that the execution sequence of above-mentioned steps S440 and step S450 is not limited to shown in Fig. 4
Situation, it may be located at the optional position in step S400-S430.
Wherein, predetermined policy can be the acquisition time, for example, obtain at predetermined time intervals once, Huo Zheshi
When obtain etc..For operating system manufacturer, it is probably the issue failure list of cert of variable interval,
And for terminal operating system, due to artificial origin or network reason, possibility can not be timely
Get the fresh information, be unable to the locally stored certificate revocation list that upgrades in time.This reality
Apply certificate management server in example and efficiently solve this problem.Additionally, except operating system manufacturer, certain
A little security firms can also disclose some unsafe certificates, such as Kingsoft antivirus etc..The certificate of the present embodiment
Management server can also be monitored acquisition to the failure list of cert that security firm announces, and utilize it
Certificate revocation list is updated.
The website visiting device that the embodiment of the present application is provided is described below, website described below is visited
Ask that device can be mutually to should refer to above-described Website access method.
This application provides a kind of website visiting device, in being applied to browser, as shown in figure 5, the device
Including:
Certificate acquisition unit 51, for obtaining the certificate of targeted website transmission, the certificate and the target
Website correspondence;
Status poll unit 52, for choosing at least one preset inquiry channel, to inquiry channel correspondence
Server send certification verification request for verifying certificate validity, wherein, it is corresponding with inquiry channel
Server in be stored with represent failure certificate certificate revocation list;
Access process unit 53, the state of validity of the certificate fed back for the reception server, and root
Choose whether to access the targeted website according to the state of validity of the certificate.
Optionally, Fig. 6 illustrates another kind of structure of the application website visiting device, as shown in fig. 6,
Wherein, the status poll unit 52 can include:
First state inquires about subelement 521, for inquiring about local system more new file, to determine the certificate
The state of validity, wherein, in the local system more new file record have represent failure certificate certificate
Revocation list;
Second status poll subelement 522, for according to OCSP protocol (Online Certificate Status
Protocol, online certificate status protocol), send for verifying that certificate has to the issuing organization of the certificate
The certification verification request of effect property, wherein, the certification authority record has the certificate for representing failure certificate
Revocation list;
The third state inquires about subelement 523, for sending for verifying card to preset certificate management server
It is stored with the certification verification request of book effectiveness, wherein certificate management server and represents the card of failure certificate
Book revocation list;
The access process unit 53 can include:
The state of validity receiving unit 531, for receiving local system, the issuing organization of the certificate and institute
State the state of validity of the certificate of each self feed back of certificate management server three;
The state of validity judging unit 532, for it is determined that receive three the state of validity in, it is any one
When individual the state of validity is failure state, targeted website described in denied access.
Optionally, the certificate revocation list for storing in the certificate management server is according to the fingerprint of certificate
Stored, then as shown in fig. 7, third state inquiry subelement 523 can include:
Fingerprint queries unit 5231, for sending to preset certificate management server the certificate is carried
Fingerprint certificate validity checking request.
The website visiting device that the embodiment of the present application is provided, after the certificate that targeted website sends is obtained, choosing
At least one preset inquiry channel is taken, is sent for verifying that certificate has to the corresponding server of inquiry channel
The certification verification request of effect property, wherein, be stored with expression failure card in server corresponding with inquiry channel
The certificate revocation list of book, the state of validity of the certificate of the reception server feedback, and according to described
The state of validity of certificate chooses whether to access the targeted website.The device of the application, is provided with least
One inquiry channel and its corresponding server, and in the server storage failure list of cert, by with
The information interaction of browser determine will access target website certificate effectiveness, and then decide whether to visit
Targeted website is asked, the safety of website visiting is improve.
Present invention also provides a kind of website visiting device, in being applied to certificate management server, such as Fig. 8 institutes
Show, the device includes:
Checking request receiving unit 81, for receiving the card for verifying certificate validity of browser transmission
Book checking request, the certification verification request includes certificate to be verified;
List reading unit 82, for reading preset certificate revocation list, the certificate revocation list is used
In the certificate of storage failure;
List query unit 83, for judging in the certificate revocation list with the presence or absence of described to be verified
Certificate;
Certificate status determining unit 84, for the judged result of list query unit 83 for be when, really
The state of validity of the fixed certificate to be verified is failure, is in the judged result of list query unit 83
When no, the state of validity for determining the certificate to be verified is effective;
Certificate status feedback unit 85, browses for the state of validity of the certificate to be verified to be fed back to
Device, so that it chooses whether to continue to access website according to the certificate validity status.
Optionally, what is included in the certification verification request that the checking request receiving unit 81 is received is to be tested
The fingerprint of card certificate, the fingerprint for the certificate that fails stored in the certificate revocation list, then such as Fig. 9 institutes
Show, the list query unit 83 can include:
First list inquires about subelement 831, for judging in the certificate revocation list with the presence or absence of to be tested
The fingerprint of card certificate.
Optionally, Figure 10 illustrates another kind of structure of the application website visiting device, with reference to Fig. 8 and Figure 10
Understand, the device can also include:
Failure certificate monitoring unit 86, it is public for according to predetermined policy, obtaining operating system manufacturer and safety
The failure list of cert that department issues;
List update unit 87, for being arranged local preset certificate revocation using the failure list of cert
Table is updated.
The website visiting device that the application is provided is applied in certificate management server, by receiving browser
The certification verification request of the certificate to be verified for sending, inquires about preset certificate revocation list, and then
Determine the effectiveness of certificate to be verified, and feed back to browser end, however, it is determined that certificate to be verified is failure card
Book, then browser end is optional selects denied access targeted website, improves safety.
The embodiment of the present application also provides a kind of terminal, and the terminal can carry out website visiting control, such as flat board
Computer etc.;The terminal can include above-mentioned website visiting device, can for the description of website visiting device
With reference to the description of corresponding part above, here is omitted.
The hardware configuration of the terminal for providing the embodiment of the present application below is described, and is related in being described below
The part of call Website access method can refer to corresponding part description above.Figure 11 is carried for the embodiment of the present application
For terminal hardware architecture diagram, with reference to Figure 11, the terminal can include:
Processor 1, communication interface 2, memorizer 3, communication bus 4, and display screen 5;
Wherein processor 1, communication interface 2, memorizer 3 and display screen 5 complete phase by communication bus 4
Communication between mutually;
Optionally, communication interface 2 can be the interface of communication module, the such as interface of gsm module;
Processor 1, for configuration processor;
Memorizer 3, for depositing program;
Program can include program code, and described program code includes the operational order of processor.
The possibly central processor CPU of processor 1, or specific integrated circuit ASIC
(Application Specific Integrated Circuit), or be arranged to implement the embodiment of the present application
One or more integrated circuits.
Memorizer 3 may include high-speed RAM memorizer, it is also possible to also including nonvolatile memory
(non-volatile memory), for example, at least one disk memory.
Wherein, program can be specifically for:
The certificate that targeted website sends is obtained, the certificate is corresponding with the targeted website;
At least one preset inquiry channel is chosen, is sent for verifying to the corresponding server of inquiry channel
The certification verification request of certificate validity, wherein, be stored with expression in server corresponding with inquiry channel
The certificate revocation list of failure certificate;
The state of validity of the certificate of the reception server feedback, and according to the effective character of the certificate
State chooses whether to access the targeted website.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms
It is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily requires
Either to imply and there is any this actual relation or order between these entities or operation.And, art
Language " including ", "comprising" or its any other variant are intended to including for nonexcludability, so as to
So that a series of process, method, article or equipment including key elements not only includes those key elements, and
Also include other key elements for being not expressly set out, or also include for this process, method, article or
The intrinsic key element of person's equipment.In the absence of more restrictions, by sentence "including a ..."
The key element of restriction, it is not excluded that also deposit in the process including the key element, method, article or equipment
In other identical element.
Each embodiment is described by the way of progressive in this specification, and each embodiment is stressed
The difference with other embodiment, between each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or use
The application.Various modifications to these embodiments will be for those skilled in the art aobvious and easy
See, generic principles defined herein can in the case of without departing from spirit herein or scope,
Realize in other embodiments.Therefore, the application is not intended to be limited to the embodiments shown herein,
And it is to fit to the most wide scope consistent with principles disclosed herein and features of novelty.
Claims (12)
1. a kind of Website access method, it is characterised in that be applied to browser, the method includes:
The certificate that targeted website sends is obtained, the certificate is corresponding with the targeted website;
At least one preset inquiry channel is chosen, is sent for verifying to the corresponding server of inquiry channel
The certification verification request of certificate validity, wherein, be stored with expression in server corresponding with inquiry channel
The certificate revocation list of failure certificate;
The state of validity of the certificate of the reception server feedback, and according to the effective character of the certificate
State chooses whether to access the targeted website.
2. method according to claim 1, it is characterised in that the selection it is preset at least one
Inquiry channel, the certification authentication sent for verifying certificate validity to the corresponding server of inquiry channel please
Ask, including:
Inquiry local system more new file, to determine the state of validity of the certificate, wherein, described
Record has the certificate revocation list for representing failure certificate in ground system update file;
According to OCSP protocol (Online Certificate Status Protocol, online certificate status protocol),
The certification verification request for verifying certificate validity is sent to the issuing organization of the certificate, wherein, institute
Stating certification authority record has the certificate revocation list for representing failure certificate;
The certification verification request for verifying certificate validity is sent to preset certificate management server, its
It is stored with middle certificate management server and represents the certificate revocation list of failure certificate;
The state of validity of the certificate of the reception server feedback, and according to the effective of the certificate
Character state chooses whether to access the targeted website, including:
Receive local system, the issuing organization of the certificate and the certificate management server three each reflexive
The state of validity of the certificate of feedback;
If it is determined that in three the state of validity for receiving, any one the state of validity is failure state, then
Targeted website described in denied access.
3. method according to claim 2, it is characterised in that deposit in the certificate management server
The certificate revocation list of storage is stored according to the fingerprint of certificate, then described to take to preset certificate management
Business device sends the certification verification request for verifying certificate validity, including:
The certificate validity checking of the fingerprint for carrying the certificate is sent to preset certificate management server
Request.
4. a kind of Website access method, it is characterised in that be applied to certificate management server, the method bag
Include:
Receive the certification verification request for verifying certificate validity that browser sends, the certification authentication
Request bag contains certificate to be verified;
Preset certificate revocation list is read, the certificate revocation list is used for the certificate of storage failure;
Judge in the certificate revocation list with the presence or absence of the certificate to be verified, if so, determine described
The state of validity of certificate to be verified is failure, if it is not, determining the state of validity of the certificate to be verified
For effective;
The state of validity of the certificate to be verified is fed back to into browser, it is effective according to the certificate for it
Character state chooses whether to continue to access website.
5. method according to claim 4, it is characterised in that include in the certification verification request
Be certificate to be verified fingerprint, in the certificate revocation list store for fail certificate fingerprint, then
The judgement whether there is the certificate to be verified in the certificate revocation list, including:
Judge with the presence or absence of the fingerprint of certificate to be verified in the certificate revocation list, if, it is determined that
There is the certificate to be verified in the certificate revocation list, if not, it is determined that the certificate revocation list
In there is no the certificate to be verified.
6. method according to claim 4, it is characterised in that also include:
According to predetermined policy, the failure list of cert that operating system manufacturer and security firm issue is obtained;
Local preset certificate revocation list is updated using the failure list of cert.
7. a kind of website visiting device, it is characterised in that be applied to browser, the device includes:
Certificate acquisition unit, for obtaining the certificate of targeted website transmission, the certificate and the target network
Stand corresponding;
Status poll unit, it is corresponding to inquiry channel for choosing at least one preset inquiry channel
Server sends the certification verification request for verifying certificate validity, wherein, it is corresponding with inquiry channel
It is stored with server and represents the certificate revocation list of failure certificate;
Access process unit, for the state of validity of the certificate of the reception server feedback, and according to
The state of validity of the certificate chooses whether to access the targeted website.
8. device according to claim 7, it is characterised in that the status poll unit includes:
First state inquires about subelement, for inquiring about local system more new file, to determine the certificate
The state of validity, wherein, record has the certificate for representing failure certificate to remove in the local system more new file
Pin list;
Second status poll subelement, for according to OCSP protocol (Online Certificate Status
Protocol, online certificate status protocol), send for verifying that certificate has to the issuing organization of the certificate
The certification verification request of effect property, wherein, the certification authority record has the certificate for representing failure certificate
Revocation list;
The third state inquires about subelement, for sending for verifying certificate to preset certificate management server
It is stored with the certification verification request of effectiveness, wherein certificate management server and represents the certificate of failure certificate
Revocation list;
The access process unit includes:
The state of validity receiving unit, for receiving local system, the issuing organization of the certificate and described
The state of validity of the certificate of each self feed back of certificate management server three;
The state of validity judging unit, for it is determined that receive three the state of validity in, any one
When the state of validity is failure state, targeted website described in denied access.
9. device according to claim 8, it is characterised in that deposit in the certificate management server
The certificate revocation list of storage is stored according to the fingerprint of certificate, then the third state inquires about subelement
Including:
Fingerprint queries unit, for sending the finger for carrying the certificate to preset certificate management server
The certificate validity checking request of stricture of vagina.
10. a kind of website visiting device, it is characterised in that be applied to server, the device includes:
Checking request receiving unit, for receiving the certificate for verifying certificate validity of browser transmission
Checking request, the certification verification request includes certificate to be verified;
List reading unit, for reading preset certificate revocation list, the certificate revocation list is used for
The certificate of storage failure;
List query unit, for judging to whether there is the card to be verified in the certificate revocation list
Book;
Certificate status determining unit, for when the list query unit judges result is to be, determining institute
The state of validity for stating certificate to be verified is failure, when the list query unit judges result is no,
The state of validity for determining the certificate to be verified is effective;
Certificate status feedback unit, for the state of validity of the certificate to be verified to be fed back to into browser,
So that it chooses whether to continue to access website according to the certificate validity status.
11. devices according to claim 10, it is characterised in that the checking request receiving unit
What is included in the certification verification request of reception is the fingerprint of certificate to be verified, is deposited in the certificate revocation list
Storage for fail certificate fingerprint, then the list query unit include:
First list inquires about subelement, for judging in the certificate revocation list with the presence or absence of to be verified
The fingerprint of certificate.
12. devices according to claim 10, it is characterised in that also include:
Failure certificate monitoring unit, for according to predetermined policy, obtaining operating system manufacturer and security firm
The failure list of cert of issue;
List update unit, for using the failure list of cert to local preset certificate revocation list
It is updated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407842.3A CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407842.3A CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656455A true CN106656455A (en) | 2017-05-10 |
| CN106656455B CN106656455B (en) | 2020-11-03 |
Family
ID=58815004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510407842.3A Active CN106656455B (en) | 2015-07-13 | 2015-07-13 | Website access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656455B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107508682A (en) * | 2017-08-16 | 2017-12-22 | 努比亚技术有限公司 | Browser certificate authentication method and mobile terminal |
| CN108092777A (en) * | 2017-12-26 | 2018-05-29 | 北京奇虎科技有限公司 | The monitoring and managing method and device of digital certificate |
| CN109921910A (en) * | 2019-03-21 | 2019-06-21 | 平安科技(深圳)有限公司 | Verification method and device, storage medium, the electronic device of certificate status |
| CN111291369A (en) * | 2020-01-20 | 2020-06-16 | 北京无限光场科技有限公司 | Information detection method and electronic equipment |
| CN114143034A (en) * | 2021-11-01 | 2022-03-04 | 清华大学 | Network access security detection method and device |
| CN116455633A (en) * | 2023-04-17 | 2023-07-18 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
| CN116827648A (en) * | 2023-07-07 | 2023-09-29 | 亚数信息科技(上海)有限公司 | Website effectiveness detection method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
| CN101212465A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Method for authenticating validity of IKE V2 certificate |
| CN101848218A (en) * | 2010-05-14 | 2010-09-29 | 山东泰信电子有限公司 | Method for secure access of Internet television terminal to Internet |
| CN102111378A (en) * | 2009-12-25 | 2011-06-29 | 上海格尔软件股份有限公司 | Signature verification system |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
| CN102647394A (en) * | 2011-02-16 | 2012-08-22 | 中兴通讯股份有限公司 | Routing device identity authentication method and routing device identity authentication device |
-
2015
- 2015-07-13 CN CN201510407842.3A patent/CN106656455B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
| CN101212465A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Method for authenticating validity of IKE V2 certificate |
| CN102111378A (en) * | 2009-12-25 | 2011-06-29 | 上海格尔软件股份有限公司 | Signature verification system |
| CN101848218A (en) * | 2010-05-14 | 2010-09-29 | 山东泰信电子有限公司 | Method for secure access of Internet television terminal to Internet |
| CN102647394A (en) * | 2011-02-16 | 2012-08-22 | 中兴通讯股份有限公司 | Routing device identity authentication method and routing device identity authentication device |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
Non-Patent Citations (3)
| Title |
|---|
| M. MYERS: "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", 《IETF 2560》 * |
| 徐文娟: "OCSP在CA安全认证系统中的应用实现", 《计算机工程与应用》 * |
| 陈亨斌: "基于 OCSP 协议的证书状态查询系统", 《微计算机信息》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107508682A (en) * | 2017-08-16 | 2017-12-22 | 努比亚技术有限公司 | Browser certificate authentication method and mobile terminal |
| CN108092777A (en) * | 2017-12-26 | 2018-05-29 | 北京奇虎科技有限公司 | The monitoring and managing method and device of digital certificate |
| CN108092777B (en) * | 2017-12-26 | 2021-08-24 | 北京奇虎科技有限公司 | Method and device for supervising digital certificate |
| CN109921910A (en) * | 2019-03-21 | 2019-06-21 | 平安科技(深圳)有限公司 | Verification method and device, storage medium, the electronic device of certificate status |
| CN111291369A (en) * | 2020-01-20 | 2020-06-16 | 北京无限光场科技有限公司 | Information detection method and electronic equipment |
| CN111291369B (en) * | 2020-01-20 | 2022-05-20 | 北京无限光场科技有限公司 | Information detection method and electronic equipment |
| CN114143034A (en) * | 2021-11-01 | 2022-03-04 | 清华大学 | Network access security detection method and device |
| CN116455633A (en) * | 2023-04-17 | 2023-07-18 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
| CN116455633B (en) * | 2023-04-17 | 2024-01-30 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
| CN116827648A (en) * | 2023-07-07 | 2023-09-29 | 亚数信息科技(上海)有限公司 | Website effectiveness detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656455B (en) | 2020-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106656455A (en) | Website access method and device | |
| EP3432541B1 (en) | Web site login method and apparatus | |
| CN106134143B (en) | Method, apparatus and system for dynamic network access-in management | |
| EP3639496B1 (en) | Improved network access point | |
| JP5522307B2 (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| CN103597494B (en) | Method and apparatus for the use of numerals authority of management document | |
| CN102281286B (en) | Flexible end-point compliance and strong authentication method and system for distributed hybrid enterprises | |
| CN100573402C (en) | Code signing system and method | |
| CN108293045A (en) | Single-sign-on Identity Management between local and remote system | |
| JP6949064B2 (en) | Authentication and approval method and authentication server | |
| CN112912880A (en) | Container builder for personalized web services | |
| WO2018228952A1 (en) | Expendable network access | |
| CN109617933A (en) | Utilize the network-based single-sign-on of form filling agent application | |
| CN105052108A (en) | Automatic fraudulent digital certificate detection | |
| CN111079091A (en) | Software security management method and device, terminal and server | |
| CN110149328A (en) | Interface method for authenticating, device, equipment and computer readable storage medium | |
| JP2016521932A (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| US9111079B2 (en) | Trustworthy device claims as a service | |
| CN109617926A (en) | Control method, device and the storage medium of service authority | |
| JP4533935B2 (en) | License authentication system and authentication method | |
| CN105939362A (en) | User account management method and device | |
| CN105959293B (en) | The management method and device of electronic account | |
| CN104270391A (en) | Method and device for processing access request | |
| CN109818965B (en) | Personal identity verification device and method | |
| US20080046750A1 (en) | Authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |