With the continuous updating and iteration of network technology, Internet security is becoming more and more important for enterprises and individuals. As a result, more and more service providers are moving toward providing users with more secure access to online content.
Man-in-the-middle attack
In order to ensure the security of website content, many encryption methods have been created. At present, the most widely used encryption method is TLS (Transport Layer Security Protocol), which is derived from the well-known SSL (Secure Socket Protocol), and together with SSL to form SSL/TLS encryption, can transform HTTP into HTTPS, for users and websites to provide secure data transmission.
Normally, encrypted transmissions are secure when accessing websites using HTTPS and reliable SSL/TLS certificates. However, the authentication authority is easy to be attacked by hackers in the early stage, which leads to security vulnerabilities of the certificate. Meanwhile, some common usage habits may also cause security vulnerabilities. For example, when we input the website address, we do not enter the full URL containing the encryption protocol https://, but only enter the website address. The browser’s automatic access, on the other hand, will go to the insecure http://. These vulnerabilities facilitate man-in-the-middle attacks.
A manin attack appears to be an encrypted connection between System A and System B, but in fact the data flow is redirected by A third party, making the encrypted connection run from system A to system C, and then redirected to system B. This allows the controller of system C, usually an attacker, to view, log, and manipulate the data traffic in its entirety. In this way, the attacker also presents system C as A network server to system A and presents the wrong browsing page to the client. Such attacks in the banking or e-commerce industry will directly affect users’ online transactions, causing heavy losses to users.
Aside from the problems with certificates themselves, some careless usage habits can easily create security holes. For example, now many public places will provide public WLAN, we have been used to link and use, not to check the Internet is provided by who. Hackers s can set their computer as a hot spot, and easily access to link to the hot spot of the user’s all data flow, if there is just someone with this network link banking and other business, it is easy for hackers to obtain the user online banking password through this, resulting in financial losses.
Therefore, in 2012, the Internet Engineering Task Force (IETF) proposed a solution to this security problem: THE HTTP Strict Transport Security Protocol (HSTS) with HTTPS extensions specified in RFC 6797.
What is the HSTS
HTTP Strict Transport Security (HSTS) is a Security mechanism designed to protect HTTPS connections from man-in-the – man attacks and session hijacking. It lets the webmaster send a signal to the browser via HTTP headers, based on HTTPS, to retrieve the site in SSL/TLS encrypted form over a period of time.
This HTTP header is displayed on the server as: strict-transport-security, it contains mandatory max-age information, and includes optional parameters includeSubDomains and preload for easy configuration:
-
Max-age: indicates the time when the HSTS function takes effect, in seconds. For example, 31,536,000 seconds represent a year.
-
IncludeSubDomains: If specified, each subdomain (such as www.upyun.com or 123.example.upyun.com) corresponding to the domain name (e.g., upyun.com), and HTTPS is mandatory for browser access.
-
Preload: If this parameter is specified, the domain name agrees to join the Preload List initiated by Google. The address is [hstspreload.org/].
After the headers are configured on the server, the browser obtains the following instructions from the strict-transport-security header when an Internet user visits the website for the first time:
-
All unencrypted links to the site must be overwritten by encrypted links (http:// to https://).
-
If the connection cannot be secured (for example, the certificate is invalid), the connection must be terminated. An error message is also displayed to the user.
How do I start HSTS
For sites with high security requirements, HSTS is usually enabled.
But HSTS is not random; it requires a browser that supports it. The following are the current market browsers that support HSTS :(for those browsers that do not support HSTS, this response header will be ignored, and there is no impact on user access, so do not worry about it)
To enable HSTS, log in to the Yopa Cloud Console, enter Services > Function Configuration > HTTPS > HSTS, and click “Manage” to enable the configuration.
Since 17 years, we have supported HSTS configuration with simple configuration steps and easy operation. But here need special reminder is, if there are parameters set improperly may lead to the website can not access, if you encounter problems can directly contact our customer service sister oh ~
A preloaded list of HTTPS sites
HSTS alone is not foolproof, of course, because the response header is returned by the server and needs to be accessed by the user first. Mandatory HTTPS access is performed only after the response header is obtained. This means that every visit is still vulnerable to attack.
To minimize this risk, all browsers on the market now include the HSTS Preload List provided by Google. Once added to this list, all browser access requests will be forced to use HTTPS, largely eliminating “first time” hijacking and maximizing HTTPS access security.
If you want to add your site to the HSTS Preload, make sure you meet the following basic requirements:
-
All web pages must use a valid SSL certificate
-
The HTTP URL must be directed to the HTTPS URL of the same host
-
All subdomains (including the WWW subdomain) must support HTTPS and be available
-
The HSTS header must be passed through the domain name with the following parameters:
- Websites must always meet appeal requirements or they will be automatically removed
In today’s information security is becoming more and more important, the best choice is to update the security means of the website in time, maintain the security of the website and users, and avoid losses caused by temporary negligence.
Recommended reading
Net fraud? Internet streaking? All because of HTTP?
Time delay! Bao new! The 2-year renewal certificate is coming