With the continuous update and iteration of network technology, Internet security is becoming more and more important to enterprises and individuals. Therefore, more and more service providers are beginning to prefer to provide users with more secure online content access.
Man-in-the-middle attack
In order to ensure the security of website content, many encryption methods have been born. At present, the most widely used encryption method is TLS (Secure Transport Layer Protocol), which is born out of the well-known SSL (Secure Socket Protocol), and forms SSL/TLS encryption together with SSL, which can transform HTTP into HTTPS. Users and websites provide secure data transmission.
Normally, when using HTTPS and a reliable SSL/TLS certificate to access the website, the encrypted transmission is safe. But because early certification agencies are easily attacked by hackers, which leads to certificate security vulnerabilities, and some regular usage habits may also cause security vulnerabilities. For example, when we enter the URL, we will not enter the completeness of the https:// URL, but only enter the website URL, and the automatic visit of the browser will visit the insecure http://. These vulnerabilities provide convenience for man-in-the-middle attacks.
On the surface, a man-in-the-middle attack is that system A and system B establish an encrypted connection, but in fact the data stream will be redirected by a third party, allowing the encrypted connection to run from system A to system C, and then redirect to system B. This allows the controller of System C (usually an attacker) to view, record, and manipulate the data traffic completely. In this way, the attacker also presents system C as a web server to system A, and presents the wrong browsing page to the client. Such attacks in the banking or e-commerce industry will directly affect users' online transactions and cause serious losses to users.
In addition to the problem of the certificate itself, some careless usage habits can easily cause security vulnerabilities. For example, many public places now provide public WLANs. We are accustomed to linking and using them, and will not check who provides the Internet. Hackers can set their computers as hotspots and easily obtain all the data streams of users connected to this hotspot. If someone happens to use this network to connect to banking and other businesses, the hacker can easily obtain the user's online banking password through this, causing financial losses. .
Therefore, the Internet Engineering Task Force (IETF) proposed a solution to this security problem in 2012: The HTTP Strict Transport Security Protocol (HSTS) extended by HTTPS was specified
What is HSTS
HSTS (HTTP Strict Transport Security, HTTP Strict Transport Security Protocol) is a security mechanism designed to protect HTTPS connections from man-in-the-middle attacks and session hijacking. It allows the webmaster to send a signal to the browser through HTTP header information on the basis of HTTPS, and retrieve the website in the form of SSL/TLS encryption within a period of time.
This HTTP header information is displayed on the server side as: Strict-Transport-Security, which contains the mandatory information max-age, and also contains the optional parameters includeSubDomains and preload for easy configuration:
- max-age: refers to the time when the HSTS function takes effect, in seconds. For example, 31536000 seconds represents one year.
- includeSubDomains: is specified, it means that each subdomain (for example: www.upyun.com or 123.example.upyun.com) corresponding to the domain name (for example: upyun.com), the browser will also force HTTPS when accessing Make a visit.
- preload: is specified, it means that this domain name agrees to apply to join the Preload List initiated by Google, and the application address is [ https://hstspreload.org/].
After configuring the header information on the server side, when an Internet user visits the website for the first time, the browser will obtain the following instructions from the Strict-Transport-Security header information:
- All unencrypted links to the corresponding website must be covered by encrypted links ( http:// to https:// ).
- If the security of the connection cannot be guaranteed (for example, the certificate is invalid), the connection must be terminated. At the same time, an error message is displayed to the user.
How to turn on HSTS
If it is a website with high security requirements, HSTS will generally be selected.
But HSTS is not arbitrarily opened, it needs a browser that supports it. The browsers currently on the market that support HSTS are as follows: (For those browsers that do not support this response header, it will have no effect on the user's access, so you don’t need to worry about it)
To specifically enable HSTS, you can log in and tap the cloud console, and then go to: Service> Function Configuration> HTTPS> HSTS, and click Manage to configure and enable it.
YouPaiyun has been supporting HSTS configuration since 17 years. The configuration steps are simple and the operation is convenient. But what needs to be reminded here is that if there are improper parameter settings, the website may not be accessible. If you encounter problems, you can directly contact our customer service lady~
HTTPS website preload list
Of course, relying on HSTS alone is not foolproof, because the response header of HSTS is returned by the server, and the user needs to initiate access to get the response header. The mandatory HTTPS access operation will not be performed until the response header is obtained. This also means that every visit is still vulnerable to the risk of attack.
In order to reduce this risk as much as possible, all browsers currently on the market have joined the HSTS Preload List provided by Google. As long as it is added to this list, all requests through the browser will be forced to go HTTPS, which can prevent the hijacking of the "first" access to a large extent, and maximize the security of HTTPS access.
If you need to add your own website to HSTS Preload, you must ensure that it meets the following basic requirements:
- All website pages must use a valid SSL certificate
- The HTTP URL must be directed to the HTTPS URL of the same host
- All subdomains (including www subdomain) must support HTTPS and be available
- The HSTS header information must be passed through the domain name with the following parameters:
- The website must always meet the appeal requirements, otherwise it will be automatically deleted
Today, when information security is becoming more and more important, it is the best choice to update the security methods of the website in time, maintain the security of the website and users, and avoid losses due to temporary negligence.
程序员
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。