今天用git下载东西很慢,把URL的https改http,很快就下好了。
有些新闻类网站真是吃饱了撑的:我手工把https改http,它还非https不可。[修改:可能不是网站而是浏览器的原因,请看后面] https不给自己的服务器增加负担吗?又不是网银。要是有个专用的网银浏览器就好了。https... 各种安全手段,银行也不必费事支持IE6了。
还有,我有个过滤出六级/考研单词的程序。目前能做到一个.html文件,里面一个文本框和一个按钮。在你正在看的页面里Ctrl-A全选,Ctrl-C复制,切到前述页面,Ctrl-V粘贴,点按钮,出结果。如果我把它做成个HTTP Proxy,不管你用啥浏览器,该proxy会悄悄地过滤排重计数保存,你每隔3~5天看看这些日子看过的网页里有哪些高频六级/考研单词,趁热打铁,想必是好的。Edge Extension做好了: Meta Mess, a super simple yet powerful Microsoft Edge Extension - 博客园
某百科网站自动放视频。虽然Edge可以设成不自动播放,但据说依然会下载。于是我想做个https proxy,遇到.mp4之类就返回404 Not Found. 请耐心看到最后,有终极解决方案。
Creating an HTTPS proxy server in Python - Stack Overflow How mitmproxy works
下载了mitmproxy试了下,Edge报错,和HSTS (HTTP Strict Transport Security)有关。https proxy从原理上是不太可行的。
The problem is actually not related to SSL at all but caused by a misunderstanding of how a HTTP proxy for HTTPS works. Such a proxy is not doing SSL at all. It is instead just used to create a tunnel to the final server and the client then creates the HTTPS connection trough this tunnel, keeping the end-to-end encryption this way.
The client connects to the proxy and makes a request that looks like this: CONNECT example.com:443 HTTP/1.1. The MITM in its name stands for Man-In-The-Middle - a reference to the process we use to intercept and interfere with these theoretically opaque data streams.
proxy和https是矛和盾的关系。MITM万能说明https不够安全,那它会再出ss甚至ssr版的。super secure really :-)
好比我们告诉Edge: 我是www.a.com, 证书号1234. Edge有个内置的表,放了知名网站/关系户的域名和证书,一查不对,认为我们是假冒的,不让访问。加密学又使得我们没法知道Edge知道的www.a.com的证书号。[What Is a Man-in-the-Middle Attack and How Can It Be Prevented | UpGuard] This only works if the attacker is able to make your browser believe the certificate is signed by a trusted Certificate Authority (CA). Otherwise your browser will display a warning or refuse to open the page.
负载均衡要么透明传输,不碰SSL/TLS里的内容,要么把证书摆在最外面,反正Edge没意见,认为人是真的。
Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies. 他们是一伙的。我倒是可以试试虚拟机装Windows XP+IE 7.0 :-)
方案1: 在Edge的地址栏输入edge://flags/#edge-automatic-https,可以关闭Automatic HTTPS which enables support for Automatic HTTPS, which switches connections to websites from HTTP to HTTPS. 白高兴了,这方法好像在Edge 92上能用,Edge 97不行,这版本号涨得,啧啧。我决定换Firefox. 在Edge+Bing里搜Firefox,显示:
老太太背靠墙喝粥问现在几点——卑鄙(背壁)无耻(无齿)下流到了极点
换了Firefox也没啥鸟用,也许不完全是浏览器的原因,而是不少网站设成了转https: 3xx Redirect. 据说Google会调低非https网站的权重,don't be evil我呸,谁判断evil不evil?
方案2: python/curl/wget只下载.html文件。高级点python写个贼简单的http server, 做个网页"文本百科",文本框输入词,python后端下载。AJAX不能跨域。Linux下有字符界面的浏览器lynx.
方案3: 我上个月多花了2块多话费,由它去。Sorry我又标题党了。:-)
HTTP Strict Transport Security is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security, unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
据说"硬件"负载均衡器F5用了ASIC(Application Specific Integrated Circuit)来处理SSL,同时最多8000路。"硬件"是因为高端型号有Xeon CPU和128GB内存,不知道报价5万的是不是这种。https真的浪费资源啊。
浙公网安备 33010602011771号