I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and I don’t expect it to change much for the next few years.

One of the new proposal I’ve stumble upon is the Strict Transport Security proposal which is being sponsored by Paypal and currently supported by the Google Chrome browser. The spec is still under review and the latest version is available at http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html .

The proposal is quite simple and aims at forcing the browser to only connect over SSL by redirecting HTTP traffic to HTTPS at the browser level so that no connection is made over HTTP. This is implemented by adding a server component that provides the browser with a connection policy and by a browser component which enforce the policy provided by the server.

I’ve seen a lot of applications force connection over HTTPS by simply detecting the connection over HTTP and returning a 302 redirect to the client to the HTTPS site but this specification improves this logic by telling the browser to automatically replace the HTTP location on the client side so that no “unsafe” connections are made.

I believe that the Strict Transport Security proposal is a step in the right direction but I’m not sure about its acceptance. I also have some concerns about requiring the initially connection over HTTP and allowing the browser to connect back to HTTP once the policy expires. I believe that group policy might be a better approach there for certain high profile sites but only time will tell.

After reading the specification, I realize that implementing the server processing is quite simple under ASP.NET and decided to implement a quick STS HTTP Module for ASP.NET and make it available.

Installation

The STS module can be installed by adding it to the system.web.httpModules section of your web.config

<system.web>

  <httpModules>

    <add name="STSModule" type="STSModule.STSServerModule"/>

  </httpModules>

</system.web>

 

Configuration

Enabling configuration section

The STS Server module can be configured in the web.config with the stsModule configuration section. To do so, the configuration section needs to be added to the configuration.configSections section of your web.config.

<configuration>

  <configSections>

    <sectionGroup name="stsModuleSection">

      <section name="stsModule" type="STSModule.StrictTransportSecuritySection"/>

    </sectionGroup>

  </configSections>

</configuration>

Configuring the module

 

Configuration name

Description

Default value

maxAgeInSeconds

This section defines the max-age section of the Strict-Transport-Security header

86400

includeSubDomains

Define if the includeSubDomains section of the Strict-Transport-Security header is present.

 

If the value is true, the includeSubDomains will be added to the header.

false

redirectUrl

Defines the url specified in the redirection.

 

If the configuration is empty or not defined, the redirection url will be the same as the one questions but the scheme will be set to HTTPS.

Empty string

use302

Specify if the status code should be 302 instead of the 301 specified in the spec.

false

 

<stsModuleSection>

                <stsModule maxAgeInSeconds="86400"

             includeSubDomains="false"

             use302="false"/>

</stsModuleSection>