Got into a discussion recently about securing websites via HTTPS and the implications of allowing any part of your site to be loaded via HTTP. The most egregious designs usually loads the site using HTTP and simply completes a form POST for sensitive data via HTTPS. Good enough? Not by a long shot!

Two points I want to bring up about this:

  1. Any part of your site that gets to you via HTTP can easily be manipulated by man in the middle attack. Leaving the integrity of anything in the page in doubt including the endpoint of your “secure” POST.
  2. Non-technical end users are realizing (if only at a high level) that the green lock in the address bar means a more secure conversation.

It is disappointing then to see major sites happily present entire pages (or just resources) over HTTP when there are clear advantages to pushing the entire site via HTTPS. The HTTP Strict Transport Security (HSTS) standard is a relatively new mechanism that is designed to facilitate this practice in conjunction with compliant browser, the abstract for HSTS reads as follows:

This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field

Here are some scenarios it helps combat:

User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker

  • HSTS automatically redirects HTTP requests to HTTPS for the target domain

Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP

  • HSTS automatically redirects HTTP requests to HTTPS for the target domain

A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate

  • HSTS does not allow a user to override the invalid certificate message

There are a variety of ways to tackle integration of this solution into IIS, here are the ones I have looked at recently.

Configure IIS directly

IIS does have the ability add custom header fields to the HttpResponse:

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager (instructions assume IIS 7).
  2. In Features View, double-click HTTP Response Headers.
  3. On the HTTP Response Headers page, in the Actions pane, click Add.
  4. In the Add Custom HTTP Response Header dialog box, type a name, and a value or set of values separated with commas (,) in the Name (Strict-Transport-Security) and Value (max-age=31536000) boxes as follows:
You could also add these headers via the web.config, something like this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>

However, a strict adherence of the protocol means that you should not present this custom header over non-secure transport and unfortunately IIS does not support that type of conditional check. This means even if you force a 30x redirect to HTTPS for all HTTP traffic, that first 30x response over HTTP will contain the custom header.

IIS URL Rewrite

IIS 7 and above enables IIS administrators to create powerful customized rules, this one adds the custom header for only HTTPS traffic.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add Custom Header for HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

ASP.NET HttpModule

Alternatively you could solve this by writing a HttpModule that runs within ASP.NET application context.

public class HSTSModule : IHttpModule 
{
public void Dispose()
{
}

public void Init(HttpApplication context)
{
context.PostRequestHandlerExecute += context_PostRequestHandlerExecute;
}

void context_PostRequestHandlerExecute(object sender, EventArgs e)
{
HttpContext context = ((HttpApplication)sender).Context;

if (context.Request.IsSecureConnection)
{
context.Response.AppendHeader("Strict-Transport-Security", "max-age=31536000");
}
}
}

If you elect to use a HttpModule you should be aware of which files are processed by ASP.NET, some static files (css, js, htm) are purposefully not sent through the ASP.NET pipeline, this can be configured within your Web.config but you should be aware of the implications of doing so.

Open Source IIS Module

The simplest alternative is to download and deploy the open source HTTP Strict Transport Security IIS Module, If you are comfortable with C++ and writing IIS modules you can find code details over at GitHub.


Related Posts
November 23, 2014 4:43    Comments [0]
Tagged in ASP.NET | IIS

Share on Twitter, Facebook and Google+


Connect is the cloud-first, mobile-first, developer-first, virtual event taking place today (and tomorrow) and the Microsoft team has been making some pretty amazing announcements, that genuinely transform the future opportunities  for .NET developers.

Microsoft is open sourcing the .NET Framework Libraries (MIT license), projects like Mono who have relied on contributors to their project who have not looked at disassembled .NET code, but can now freely introduce the .NET framework directly into the Mono project. The code is available here, just amazing!!!

Additionally Microsoft has begun redesigning .NET as the .NET Core which produces simpler versions of class libraries, the project is hosted on GitHub here. The .NET framework team also spent a lot of time trying to speed up the JIT compiler last year and released RyuJIT, this JIT compiler will *also* available under the same .NET Core release.

This bears repeating the MIT License is a permissive as it gets, and this also comes with a patent promise! This is Microsoft really living the open source software ideal!

Other notable updates

What announcement are you most eager to check out?


Related Posts

November 12, 2014 16:58    Comments [0]
Tagged in .NET | ASP.NET | Visual Studio

Share on Twitter, Facebook and Google+


Reading bad codeOver the years I have probably written hundreds of thousands of lines of code, which in turn means that I have *read* millions of lines of code. I have noted to others that (unlike “normal” reading and writing)  it is much easier to write code than it is to actually read it (like trying to read really bad hand writing). This leads most people involved in “Brownfield” development to eventually conclude that you need to start over in a new “Greenfield” location.

Sometimes going nuclear on code is a mistake, but finding people who have the skill and patience to look at existing code (good or bad) is really difficult. Frankly finding someone who has an ability to gain mastery of others code should be seen as a much more valuable skill than simply writing new code, but in truth we rarely value that skill.

With all that said if reading bad code is a skill, improving on bad code is a virtue! Identifying code smells and eliminating technical debt is a part of the development cycle that is rarely accounted for or even measured. Most developers I work with know how to strategically manage new technical debt. However, eliminating debt in existing code comes with added responsibility to test coverage and resource/time allocation that require executive approval.

So here are the most common issues (in order) I find in code reviews :

Twin (duplicate) code

This is an obvious one, and you should rarely see this pattern within a single class or C# page. I find this pattern tends to rear its head across multiple classes and namespaces, where someone needs to take a step back and use tools that find these patterns. I tend to warn people “if you use copy and past on an entire method you are probably doing it wrong”.

Walking dead code

This one is pretty obvious but we should always be on the look out for redundant and unused code. I have seen entire pages that harbor code just for future reference even though there is first class source code repository in use. Trust your source code system, delete unused code!

James and the giant Class

I really believe in the idea of single responsibility principle, make your classes very specific and succinct. So if you have thirty methods in a single class you may want to check if it is suffering from some unnecessary bloat. Also I tend to get a little nervous when I see your class creating more than a couple instances of other classes.

Breaking the Prime Directive

Primitive type abuse is always a concern in code, using primitive types is simple and straight forward, however, there are many cases where we need to guard against a range, or it may require some kind of validation (credit card, social security numbers, age, etc.) and a simple primitive type will not cover it.

Inception

This is the kind of code laden with if/else statements, and interwoven with multiple switch statements. I have seen a single if statements make frequent use of multiple not conditions, and it takes even the most logical thinker a dozen minutes to consider the possible paths through the code. Using a metric like Cyclomatic complexity can help identify code like this, but I find it can produce a lot of false positives especially for switch statements.

Independence day

It is time to set your classes free, along with reducing the overall size of your class you should be working to ensure that each class does not have unnecessary dependence on another class. When classes rely on specific features of other classes it tends to ensure that a simple change in one class arbitrarily affecting another class.

The Method with no name

I find very few people who naturally write good comments, they are usually just rewording the method name (e.g. GetFileList() will have a comment like “This gets the file list” o_O). If your method is sufficiently complex that the name does not capture it, remember to comment on the “why” rather than the “how”.

I have found that making technical debt visual helps people make more decisive decisions about how to combat it (using tools to measure complexity or define styles). You have to do your best to highlight the churn that is produced by having to read bad code, it also helps to stop referring to things as “the right way vs. the fast way” and call it what it is,“the right vs. the wrong way”.


Required reading

November 5, 2014 23:26    Comments [0]
Tagged in Development Process | Programming | Software

Share on Twitter, Facebook and Google+


I often blog about things that I find very interesting as it relates to software development (.NET more specifically) but that only covers a really small portion of my technical reading. While I tend to tweet these other links I continue to be frustrated by the search capabilities of Twitter, and so I intend to initiate a series of posts that represent my broader technical research and software interests. It has the added personal benefit of enabling me greater control (and search) over my curated work.

Hope you find something interesting!


Developer Links

Compressing the Web

As it relates to compression of HTTP request/response my knowledge pretty much begins and ends with GZIP, however, I came across this brilliant article on web compression techniques and I thought I would pass it on, techniques like this are critical for systems where bandwidth is limited (e.g. mobile).

Why Open Source Is Becoming A Big Developer-Recruiting Tool

“Most companies are just coming around to the idea that open source can help lower costs and boost innovation within their organizations. But Web companies like Netflix, Twitter and Facebook understand that open source can be more: a powerful weapon for recruiting and retaining top engineering talent.”

Open Web Platform Milestone Achieved with HTML5 Recommendation

“The World Wide Web Consortium (W3C) published a Recommendation of HTML5, the fifth major revision of the format used to build Web pages and applications, and the cornerstone of the Open Web Platform. For application developers and industry, HTML5 represents a set of features that people will be able to rely on for years to come. HTML5 is now supported on a wide variety of devices, lowering the cost of creating rich applications to reach users everywhere.”

Microsoft’s Quantum Mechanics

Using fundamental physics research may open a new era of unimaginably powerful computers.

RoomAlive

RoomAlive is a proof-of-concept prototype that transforms any room into an immersive, augmented entertainment experience. The experience is enabled by scalable, adaptive projector-camera units.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

WebDriver API in Developer Channel

WebDriver enables developers to create automated tests that simulate users interacting with webpages and report back results. This is different from JavaScript unit tests because WebDriver has access to functionality and information that JavaScript running in the browser doesn't, and it can more accurately simulate user events or OS-level events.

FluentValidation

A small validation library for .NET that uses a fluent interface and lambda expressions for building validation rules for your business objects.

November 3, 2014 19:10    Comments [0]
Tagged in Developer Links

Share on Twitter, Facebook and Google+


Sprout


Projectors have been directly connected to PC for a long time, but in more recent years the idea of using projectors as the basis of some user input has been gaining a lot of steam. In this tradition HP is releasing a new PC called Sprout which eschews the traditional keyboard and mouse for a projector and a 20-point touch-enabled mat.

Sprout takes advantage of a High-Resolution Camera with up to 14.6 megapixel resolution and the Intel® RealSense™ 3D Camera for instant capture of 2D and 3D objects, along with a Adonit Jot Pro stylus to write and draw with precision and comfort.

I love experimenting with HMI and UX, however, the novelty of the experience never trumps the reliability and usability for long (I am looking at you Kinect). Here is the thing, if my keyboard worked 97% of the time it would be disastrous and in fact I would assume that I simply needed a new keyboard. Inputs either have to deliberately appeal to the most simple gestures and commands or be first class inputs (like the keyboard and mouse), this is clearly being positioned as a first class input device. At $1900 (decent price IMHO) I hope they have really nailed it!


Related Posts

October 29, 2014 19:30    Comments [0]
Tagged in User Experience

Share on Twitter, Facebook and Google+