Understanding Traffic Hijacking and How HTTPS Prevents It

Recently, six major Chinese internet companies, including Xiaomi, issued a joint statement urging operators to combat traffic hijacking. Traffic hijacking is a type of man‑in‑the‑middle attack where malicious parties insert unwanted advertisements or pop‑ups into web pages, often by tampering with the data stream.

The hijacking generally occurs via two main techniques:

Domain hijacking: The attacker manipulates DNS resolution so that the victim’s HTTP request is redirected to an IP controlled by the attacker, allowing content theft or alteration, and even phishing page fabrication.

Direct traffic modification: The attacker injects fixed content such as ads or pop‑ups directly into the data stream, corrupting the page even though the client‑server TCP connection is intact.

The root cause is that the plain HTTP protocol provides no mechanism for authenticating the communication counterpart or verifying data integrity. Without these guarantees, hijacking is feasible.

HTTPS (HTTP over SSL/TLS) addresses these weaknesses. SSL/TLS adds a handshake phase before any HTTP data is exchanged. During the handshake, the client verifies the server’s identity using a digital certificate issued by a trusted Certificate Authority (CA), and both parties negotiate a session key for encrypting subsequent traffic.

Because the server’s certificate is validated, DNS hijacking that redirects the client to an impostor server will be detected and the connection terminated. Moreover, encryption and integrity checks prevent eavesdropping and content tampering.

To deploy HTTPS, a site must obtain a certificate for its domain from a recognized CA. Traditional CAs involve a manual verification process and fees, which can be cumbersome for individuals or small sites. Let’s Encrypt offers a free, automated solution that issues, renews, and revokes certificates without manual intervention.

After acquiring the certificate and private key, there are two common deployment approaches:

Install the certificate directly on the web server (e.g., Apache, Nginx) following the server’s documentation.

Deploy the certificate at the edge or reverse‑proxy layer, such as Alibaba Cloud CDN, SLB, or anti‑DDoS services, which handle TLS termination and offload encryption work.

Alibaba Cloud has extensive experience with large‑scale HTTPS adoption, having enabled end‑to‑end encryption for its e‑commerce platforms (Taobao, Tmall) during the 2015 Double‑11 shopping festival. Its CDN and SLB products provide HTTPS acceleration and offloading, making it easier for other developers to secure their sites.

By adopting HTTPS, the risk of traffic hijacking is dramatically reduced, ensuring that users receive authentic, untampered content.