Whether a website is secure or not, there are at least three basic elements, one is https encryption, the other is WAF protection, and the third is trusted identity validation, all three are indispensable. That's why the ZT Browser innovatively displays three security-related icons: , not only has the security padlock, but also have the cloud WAF protection icon and the website trusted identity validation level icon. Please refer to the innovation UI Icon Summary of ZT Browser for details.
The browser, as the entrance to the Internet, user don’t know if the surfing website is secure. At present, various websites attacks have become the norm, and the website owner does not know whether its website has encountered attacks, unless it is an attack that the website obviously cannot access. Therefore, in order to enhance the security protection awareness of the website owners and website visitors, and meet the compliance requirements of the Cyber Security Law, ZT Browser exclusively displays the WAF protection icon in the address bar, so that the website visitors have seen the WAF protection of the website and cybersecurity protection compliant at a glance. This is also a technological innovation.
For websites that use the cloud WAF service that don’t pass the Cybersecurity Protection Compliant certification, it will display "Cloud WAF Security Protection".
For websites that have deployed ZoTrus HTTPS Automation Gateway or ZoTrus WAF Automation Gateway, it displays as: Cybersecurity Protection Compliance, and it displays: Protected by ZoTrus Gateway WAF (******), where the ****** is the unique identifier of each ZoTrus Gateway deployed.
"Cybersecurity Protection" is the abbreviation of the Graded Protection of Cybersecurity. It is based on article 21 of "Cyber Security Law"–“The state shall implement the rules for graded protection of cybersecurity. Network operators shall, according to the requirements of the rules for graded protection of cybersecurity, fulfill the following security protection obligations, so as to ensure that the network is free from interference, damage or unauthorized access, and prevent online data from being leaked, stolen or tampered.” and article 31 – “The State implements focus protection for critical information infrastructure on the basis of the graded cybersecurity protection structure in important sectors and areas such as public telecommunications and information services, energy, transportation, irrigation works, finance, public services, e-government, etc., as well as other critical information infrastructure that, whenever it is destroyed, loses its ability to function or encounters data leaks, may gravely harm national security, the national economy, the people's livelihood and the public interest.” All websites must "adopt technical measures such as preventing computer viruses and cyber-attacks, network invasion and other hazardous cyber security behaviors" and "adopt technical measures such as data classification, important data backup and encryption" to ensure the website system security and meet the requirements of cybersecurity protection compliance.
The first element of website security is HTTPS encryption to realize the information transmission from the browser to the server is encrypted to prevent confidential information from leaking in the transmission process, effectively preventing various illegal stealing and illegal tampering. This is the baseline requirement, without HTTPS encryption, all browsers will display "Not secure". HTTPS encryption can meet the cybersecurity protection compliant requirements in three aspects: "communication transmission", "data integrity", and "data confidentiality". HTTPS encryption can also meet the cryptography protection complaint requirements in secure communication to protect data integrity, confidentiality and authenticity of identity using cryptography technology, and meet the requirement in application security and data security to protect data confidentiality and integrity in transmission and storage procedure using cryptography technology.
The second element of website security is WAF protection, which is also indispensable. WAF can effectively prevent various attacks and prevent illegal stealing and illegal tampering after the information reaches the server from browser. HTTPS encryption guarantees confidential information to reach the server security, and after the information arrives at the server, the work that prevent various attacks can only be completed by the Web Application Firewall. Without WAF protection, HTTPS encryption is also meaningful, this point is very important. HTTPS encryption and WAF protection are all duty and one section of each. Cloud WAF protection can meet the cybersecurity protection compliant requirements such as "invasion prevention", "malicious code prevention", and "data integrity (anti-tampering)".
The third element of website security is the website trusted identity validation. A fake bank website may also have HTTPS encryption, and the browser also shows the security padlock. It may also have WAF protection. However, these do not prove that this fake bank website is secure! Therefore, the website trusted identity validation is the third important factor of website security, which is as important as HTTPS encryption and WAF protection! The simplest website trusted identity validation is to deploy the IV SSL certificate, OV SSL certificate and EV SSL certificate that has validated the website identity.
It is recommended to choose the ZoTrus SM2 HTTPS Automation Management Solution. There is no need to apply for an SSL certificate from the CA, and there is no need to install an SSL certificate on the Web server to automatically realize https encryption. Customers can choose a suitable solution according to their own business system management needs, it has two main application scenarios: HTTPS encryption automation and SM2 HTTPS encryption transformation. The former mainly solves the problem of automatic deployment of RSA/ECC algorithm SSL certificates, because many websites and various business management systems are still not deployed SSL certificates, these systems only need to deploy RSA/ECC algorithm SSL certificates, and do not need to be transformed to support SM2 SSL certificate, but they need to realize automated certificate management. The latter requires not only the deployment of RSA/ECC SSL certificates, but also the deployment of SM2 SSL certificates, and the automatic management of dual-algorithm certificates.