Current location - Trademark Inquiry Complete Network - Tian Tian Fund - Why do I have to install a certificate to buy a train ticket at 1236?
Why do I have to install a certificate to buy a train ticket at 1236?

1236 has a conspicuous text on its homepage-"To ensure your smooth ticket purchase, please download and install the root certificate." This text, together with many other problems of 1236, has become a topic criticized by netizens, but this seemingly safe root certificate may indeed become something that seriously threatens the security of 1236 users.

why do I need a certificate to buy a train ticket on 1236? To answer this question, we must first answer several definitions in advance:

When computers exchange sensitive information with servers, they will use an encryption method called SSL. In many cases, the exchange of sensitive information must be carried out in this way. Including 1236, Taobao, JD.COM, etc. used SSL for encryption when exchanging sensitive information.

so, how do we know whether the website uses SSL encryption? The easiest way is to look at the address bar-what happens if the front of the URL says "? 1236 does use SSL to encrypt the web page to ensure the security, while accessing direct access to 1236 will not cause any problems even without installing the root certificate. Take Chrome as an example, there won't be any problems in accessing the home page, but if you want to access the ticket purchase page, you won't be able to access it, as shown in the figure below.

1236 will let us visit a website called /otsweb. What if we visit this website directly with Chrome? A gorgeous scene appeared:

When browsing this page with IE8, it will appear like this:

When we return to Chrome, if we click "Continue", we will normally see that there is no resistance on the ticket purchase page. The same is true for IE8, but the entire address bar of IE8 will turn red.

what if we click on the small lock next to it to check the information about this certificate? The following figure will appear.

click "certificate information" again, and you will see that the certificate of 1236 was issued by a CA named SRCA.

But there is no CA called SRCA in Keychain Access.

if the "root certificate" given on the homepage is installed, there will be a CA called "SRCA" in keychain access (still taking Mac as an example)! And this certificate was originally untrusted, and it will be set to "This certificate has been marked as trusted by this account" after installation.

in this case, the browser and the operating system will trust this certificate, so they won't give the CA a hint that the information is incorrect.

who is "srca"? In the above figure, you can see the details of SRCA. The "organization" is filled in with Sinorail Certification Authority

, which is not difficult to analyze. The "S" and "R" in Sinorial and the "S" and "A" in Certification Authority spell out "SRCA".

search for Sinorail in Sinorail Certification Authority in a search engine, and you will find such a website. It is called "China Railway Information Engineering Group". The website address is a CA of the website visa book, and people are too lazy to take care of you! So what will happen after the private key of the small CA is stolen? That is the Certificate revocation list, which is the full English name of Certificate Revocation List, or CRL for short. It is also called CRL in the following. For more details, please refer to here and here.

what does p>CRL do? For example, if the certificate you bought is stolen, as long as the information is reported to the CA, then the CA will add the information of your certificate to the CRL of this CA, and every time the browser browses the encrypted webpage, it will retrieve the CRL information-if not, it will prompt that the revocation information of the site's security certificate is not available, and whether to continue. I think everyone knows that the certificate of 1236 has no CRL information. This means that once the certificate used by 1236 is stolen, the system manufacturer will not care about it, and even the last lifeline CRL is not available.

In short, if something happens to the certificate, there are two solutions:

the system manufacturer issues a patch to declare the certificate invalid

the certificate is declared invalid through CRL

But unfortunately, something happened to 1236, and neither of these two measures will work.

what will happen if the certificate is stolen? The most likely consequence is to go bankrupt like the unlucky ones in front. However, China's Ministry of Railways (although it has closed down) owes more than 2 billion yuan and still stands still, so this may be gone. Neither of the two solutions mentioned above can be used, which means that the users must suffer. If the certificate is stolen, anyone can use it to forge a false certificate. Although the certificate issued by SRCA is not trusted by the system by default, there are so many people in China who have been to the 1236 website to buy train tickets-assuming that everyone has installed this root certificate to make the system trust this certificate-a green address bar can enhance the trust of users. As long as the illegal website obtains the certificate issued by SRCA, can it not easily deceive the trust of users?

if you are a Mac user and there are no obstacles to access, you can refer to the steps in this video to set SRCA's certificate as untrusted. If you want to buy tickets, just do the opposite.

From the perspective of certificates, many big bosses in China have done a very poor job. For example, the online banking of CCB in my hand must be equipped with a certificate of online banking when installing the U shield. China also did a poor job in SSL certificate. For example, in JD.COM, SSL is used for encryption only when users log in, while in JD.COM, it is still transmitted in clear text even when placing orders. Sina Weibo still uses clear text transmission when changing personal sensitive information, while twitter used https even in Weibo in the early days. If you use unencrypted public Wi-Fi, then there is a hacker in the same Wi-Fi hotspot, and the hacker can easily steal your personal information.

p.s.: Now 1236 uses the qualified certificate issued by VeriSign in the payment process, but this does not mean that the above-mentioned possible serious impact will not happen.

Related articles
  • What is the customer service phone number of CITIC Securities?
  • How about Strait Huifu Industrial Investment Fund Management Co., Ltd.?
  • How to divide the level of love?
  • What certificate do you need to take for your future work in the postgraduate stage of finance?
  • Trustee of the fund
  • Three questions to help you understand CSI 1000 stock index futures
  • How to see the income after buying Tianhong Fund Tongli
  • Monetary fund income ranking
  • Souyute, which has been falling continuously, is Social Security building a position?
  • Why do stock gaps act as support and resistance?

    • copyright 2024 Trademark Inquiry Complete Network All rights reserved