Shulou(Shulou.com)06/03 Report--

Today, my friend suddenly told me that the web page could not be opened on his computer, and then sent me the following screenshot:

I learned that when he visited Google with shadowsocks, the web page could not be opened, and it was all OK before. Simply asked him to do the next network connectivity test: ping domain name, telnet website ports 80 and 443, found that the network is OK. Then take a closer look at his error message:

NET::ERR_CERT_COMMON_NAME_INVALID. You can see "because this site uses HSTS" in the details page, so ask him to try to clean up the HSTS security policy on Chrome and return to normal after cleaning. The specific actions are as follows:

In the Chrome browser, enter: chrome://net-internals/#hsts:

Find the appropriate "delete domain security policies", enter the domain name of the website in question, and click delete:

Find "Query HSTS/PKP domain" and enter the domain name you just deleted. The query result returns "Not Found", which means that the domain name has been deleted successfully:

Then revisit the previous page, and the page can be opened normally.

Although the problem has been solved, in line with the principle of knowing what it is and why, let's sum up:

The error report is a problem with HSTS, so let's try to clean up the HSTS settings and get it again. So what is HSTS:

HSTS is HTTP Strict Transport Security: a way for sites to elect to always use HTTPS. See https://www.chromium.org/hsts, is the Internet engineering organization IETF is promoting a new Web security protocol, the role of HSTS is to force clients (such as browsers) to use HTTPS to create a connection with the server.

Sites using the HSTS protocol will ensure that browsers always connect to the HTTPS encrypted version of the site, eliminating the need for users to manually enter encrypted addresses in the URL address bar.

The protocol will help the site to adopt global encryption, and users will see a secure version of the site.

The role of HSTS is to force clients, such as browsers, to use HTTPS to create a connection to the server. The server opens HSTS by including the Strict-Transport-Security field in the hypertext transfer protocol response header returned by the server when the client makes a request through HTTPS. The HSTS field set for unencrypted transmission is invalid.

For example, the response header of https://xxx contains Strict-Transport-Security: max-age=31536000; includeSubDomains. This means two things:

In the following year (that is, 31536000 seconds), whenever a browser sends an HTTP request to xxx or its subdomain name, it must use HTTPS to initiate the connection. For example, if a user clicks a hyperlink or enters http://xxx/ in the address bar, the browser should automatically convert the http to https and then send the request directly to https://xxx/.

In the following year, if the TLS certificate sent by the xxx server is invalid, the user cannot ignore the browser warning to continue to visit the site.

Entering the inspeck mode of the browser, we can see that the Response Headers is as follows:

It is very likely that the HSTS of the website to be visited has failed due to some reason on the partner's computer, so after cleaning up, re-authentication will return to normal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.