Sunday, August 26, 2018

Chrome browser always redirects http to https

When I access some website, it always redirects the URL from http to https even I manually enter http://mysite.com. I wonder how it happens so dig it a bit further and find out Chrome always does a 307 Internal Redirect

How to stop an automatic redirect from “http://” to “https://” in Chrome?
To answer this question, we need understand why Chrome behaves in this way.

https://tools.ietf.org/html/rfc6797 specifies HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header (Strict-Transport-Security). Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

For example:

Strict-Transport-Security: max-age=31536000; includeSubDomain

The main benefits HSTS can bring in terms of security:
  1. HSTS automatically redirects HTTP requests to HTTPS for the target domain
  2. HSTS does not allow a user to override the invalid certificate message
Here are solutions to stop HSTS:
1) Server side: Disable on web server side, for instance, on Nginx, set max-age to zero
add_header Strict-Transport-Security "max-age=0;";

2) Client side: Delete domain security policies from browser side, for instance, go to chrome://net-internals/#hsts and delete the target domain. However, you cannot delete browser preloaded entries

References:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://superuser.com/questions/565409/how-to-stop-an-automatic-redirect-from-http-to-https-in-chrome
https://stackoverflow.com/questions/27945501/307-redirect-when-loading-analytics-js-in-chrome
Posted by at No comments:
Labels: , , ,

vi comment and uncomment multiple lines

Comment multiple lines
  1. Press ESC
  2. Go to the starting line, press ctrl+v to enable visual block mode
  3. Use down arrow or k key to select multiple lines
  4. Press shift+I to enable insert mode
  5. Press # to add comment to first line, then press ESC, then wait for 1 second to get # added to all lines
Another option is:
  1. Press ESC
  2. Go to the starting line, press ctrl+v to enable visual block mode
  3. Use down arrow or k key to select multiple lines
  4. Press shift+ : to do search and replace ('<,'> will be automatically added)
  5. Type  s/^/#/ to add # to comment out selected lines
Uncomment multiple lines
  1. Press ctrl+v to enable visual block mode
  2. Move down to select lines
  3. Press x to uncomment selected lines
Posted by at No comments:
Labels: ,

Thursday, August 23, 2018

UCaaS security framework

Cloud UCaaS (Unified Communications as a Service) needs a security framework to make it secure and reliable in the cloud for Meetings, Phone and Chat.

1) Secure data center
UCaaS provider (vendor) needs facilities with strong physical protections, redundant power, and tested disaster recovery procedures.

2) Robust network security
UCaaS vendor must add unique protections designed to prevent attacks on the infrastructure, preventing service disruption, data breaches, fraud, and service high-jacking. Also needs to resolve firewall traversal problems in VoIP systems with network address translation (NAT) support for static IP configuration and “Keep-Alive” SIP signaling.

3) Secure voice
All voice traffic within cloud phone system should be encrypted to prevent eavesdropping on voice calls.  Provide additional security for IP phone calls using SIP over TLS and SRTP encryption.

4) Data encryption
All data should be encrypted in transit and at rest, with audit-able record-keeping and reporting. It includes everything from physical protections at data centers to encrypted storage to comprehensive digital tracking with clear audit trails.

5) Fraud prevention
The service provider should have protections built in to the service layer and should conduct continuous monitoring for dangerous anomalies or other indicators of toll fraud and service abuse.

6) User access controls
To ensure only authorized users access cloud communications accounts and services, the vendor should implement at a minimum strong password policies and ideally two-factor authentication as well as single sign-on (SSO).

7) Account management and administration
Administrators can instantly revoke the remote user’s access to the cloud network—and thereby to customer contacts, CRM info, and other corporate information—and almost no data resides on the device itself.

Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)