Scott Hanselman

How to enable HTTP Strict Transport Security (HSTS) in IIS7+

June 6, '15 Comments [15] Posted in IIS
Sponsored By

I got a report of a strange redirect loop on a website I (inherited, but help) manage. The reports were only from Chrome and Firefox users and just started suddenly last week, but the code on this site hadn't changed in at least 3 years, maybe longer.

Chrome shows an error "this webpage has a redirect loop"

What's going on here? Well, it's a redirect loop, LOL. But what KIND of redirects?

We know about these redirects, right?

  • 302 - Object Moved - Look over here at THIS URL!
  • 301 - Moved Permanently - NEVER COME HERE AGAIN. Go over to THIS URL!

A redirect loop builds up in the Chrome Developer Tools

But there's another kind of redirect.

  • 307 - Internal Redirect or "Redirect with method" - Someone told me earlier to go over HERE so I'm going to go there without talking to the server. Imma redirect myself and keeping using the same VERB. That means you can redirect a POST without the extra insecure back and forth.

A 307 Internal Redirect

Note the reason for the 307! HSTS. What's that?

HSTS: Strict Transport Security

HSTS is a way to keep you from inadvertently switching AWAY from SSL once you've visited a site via HTTPS. For example, you'd hate to go to your bank via HTTPS, confirm that you're secure and go about your business only to notice that at some point you're on an insecure HTTP URL. How did THAT happen, you'd ask yourself.

But didn't we write a bunch of code back in the day to force HTTPS?

Sure, but this still required that we ask the server where to go at least once, over HTTP...and every subsequent time, user keeps going to an insecure page and then redirecting.

HSTS is a way of saying "seriously, stay on HTTPS for this amount of time (like weeks). If anyone says otherwise, do an Internal Redirect and be secure anyway."

Some websites and blogs say that to implement this in IIS7+ you should just add the CustomHeader require for HSTS like this in your web.config. This is NOT correct:

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>

This isn't technically to spec. The problem here is that you're sending the header ALWAYS even when you're not under HTTPS.

The HSTS (RFC6797) spec says

An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the
Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS).

You shouldn't send Strict-Transport-Security over HTTP, just HTTPS. Send it when they can trust you.

Instead, redirect folks to a secure version of your canonical URL, then send Strict-Transport-Security. Here is a great answer on StackOverflow from Doug Wilson.

Note the first rule directs to a secure location from insecure one. The second one adds the HTTP header for Strict-Transport-Security. The only thing I might change would be to formally canonicalize the www. prefix versus a naked domain.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

Note also that HTTP Strict Transport Security is coming to IE and Microsoft Edge as well, so it's an important piece of technology to understand.

What was happening with my old (inherited) website? Well, someone years ago wanted to make sure a specific endpoint/page on the site was served under HTTPS, so they wrote some code to do just that. No problem, right? Turns out they also added an else that effectively forced everyone to HTTP, rather than just using the current/inherited protocol.

This was a problem when Strict-Transport-Security was turned on at the root level for the entire domain. Now folks would show up on the site and get this interaction:

  • GET http://foo/web
  • 301 to http://foo/web/ (canonical ending slash)
  • 307 to https://foo/web/ (redirect with method, in other words, internally redirect to secure and keep using the same verb (GET or POST))
  • 301 to http://foo/web (internal else that was dumb and legacy)
  • rinse, repeat

What's the lesson here? A configuration change that turned this feature on at the domain level of course affected all sub-directories and apps, including our legacy one. Our legacy app wasn't ready.

Be sure to implement HTTP Strict Transport Security (HSTS) on all your sites, but be sure to test and KNOW YOUR REDIRECTS.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

What's the deal with Windows 10 for the Non-Technical Friend

June 4, '15 Comments [40] Posted in Win10
Sponsored By

The calls are starting to come in, as I, like you, Dear Reader, am the head of IT Support for my friends and family. You'd think my cell phone was an IT helpline, and my email is filled with Word documents with pasted in screenshots along with subject lines like "Is this safe?!?!?"

Anyway, Window 10 is coming soon, and this little icon (the Windows icon) is stating to show up in folks' taskbars. For the techies, it's called GWX (Get Windows 10) and it's there to prep your machine and possible download Windows 10 if you want to reserve a spot. It's added by KB3035583.

image

If you click it, you'll get this screen where you can add your email and when July comes around your system will start downloading Windows 10 automatically.

You may also see this in Windows Update if you run Windows Update manually as I do.

Windows 10 is coming soon

You get to decide when you want to install it, it's not automatic.

Free Upgrade to Windows 10

The important part you and your non-technical friend should know and explore is the "Check your PC" section. Click the "hamburger" menu in the upper left corner, then click "Check your PC." Here's mine. Looks like I need to update or uninstall one program that isn't yet compatible, but my devices (video, usb stuff, etc) are cool.

Windows 10 will work on this PC

There's a great FAQ (Frequently Asked Questions) on Windows 10 here that you should check out.

Here's my personal translation/take on the most important parts:

  • Windows 10 upgrades start July 29th and you can choose to upgrade for free until July 29, 2016 so no rush. If you want wait and see, you can.
  • The upgrade is free for that period (July 29th 2015 until 2016, a year later). Upgrading after July 29th, 2016 will cost something.
  • You can upgrade machines running 7 and 8.1.
  • You machine should have these specs, which are pretty low and reasonable. Most anyone with a running PC can upgrade.
  • Yes, Solitaire and Minesweeper and Hearts will be removed BUT you can download the new versions of Solitaire and Minesweeper free in the Windows Store. They are pretty nice versions.
  • You'll move to either Windows 10 Home or Windows 10 Pro, according to this table:
    What Windows 10 version will I get?
  • You apps will keep running. I'm running all sorts of apps, many quite old, on Windows 10 and I have had no issue. The Compatibility Wizard still exists, though, so you can "lie" to really old apps and tell them they are running on Windows 95, or whatever. Just right-click the App that isn't working and click "Troubleshoot Compatibility," or right-click, Properties, then Compatibility. I haven't had to do this myself, yet, so consider this a rare thing.

So far it's been pretty interesting and I think that if non-technical friend liked Windows 7 and tolerated Windows 8 that they will like Windows 10. I've been doing "Windows 10 Build to Build" upgrade videos over at my YouTube and I would love it if you'd subscribe to my YouTube as well.

It's amazing that Windows 7 users and Windows 8 users will all be able to upgrade and come forward to a single version of Windows. As a developer (both web and apps) it'll be nice to have people on an "evergreen" Windows where I can do things like Feature Detection and not think as much about versioning.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Router redirecting to unwanted Adobe Flash update malware site - Moon Virus?

May 29, '15 Comments [35] Posted in Tools
Sponsored By

1000wmainBear with me, for now this will be a tiny post, a placeholder, but I am looking for feedback, ideas, comments and I will keep this post updated.

The scenario: My local sandwich shop where I often hang out and work remotely has a wireless router that started to redirect me to a fake "update your flash" and download a "Install flashplayer_10924_i13445851_il345.exe" malware file. There are no viruses, rootkits, or malware on my PC. This affects their PoS (Point of Sale) system, tablets, iPhones. Also, it's not a DNS hijack, as the URL from the HTTP doesn't change. It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML. The requestor doesn't know the difference.

The router he has is a V1000W Wireless N VDSL Modem Router. I'm suspecting the "Moon" virus but I'm not sure, as this isn't a Linksys. The firmware is ancient from 2009 and that's the latest one I can find.

Before you reply:

  • I'm technical, but the public is often not. Comments like "run openwrt" are certainly valid for a techie, but I'd like to know something more populist:
    • Can this router (and others like it) be fixed? Or is this bricked? Can I flash it with the original firmware to restore?
    • Remote management isn't enabled. What port did the attack happen on?
    • How can I confirm it has it (all signs point to it) with some curl command?
  • What routers have this? What is the source?
  • What can a regular Jane/Joe do about this if they have Frontier/FIOs/CenturyLink, etc?

Thoughts?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Totally stressed out? Sync to Paper

May 29, '15 Comments [57] Posted in Productivity
Sponsored By
Messy Moleskine photo by Alexandre Dulaunoy and used under Creative Commons

One of the things I often talk about when I give presentations on Personal Productivity is that more people should Sync To Paper. I first had this idea in 2006 while working on a completely overwhelming project at my last job. I was already deeply into using OneNote, which was rather new at the time, so I was putting everything onto my laptop. I was convinced that my unorganized brain could "get organized" if I just wrote everything down in some cloud-based text file.

The problem is, at least for me, is that there isn't a great way to see the big picture when you've just got pixels to look at. Life is much higher resolution than I think folks realize. I'm frankly surprised that so many of you can feel organized and productive on those 11" laptops. What a tiny window into your life!

Anyway, when I was working on this huge project the database was extremely complex. Hundreds of tables and relationships to manage. It was far too much for anyone to keep in their heads or view on a screen. So they turned to the plotter. Remember those? The database team would print out massive posters and hang them on the wall. They'd stand together in front of them and stare and think.

You see syncing to paper a lot with user interface/user experience teams (UI/UX). We'll wallpaper entire hallways with mockups of what the system should look like, putting them in high traffic areas so everyone can absorb them and collaborate.

When my life is overwhelming and I am at PEAK STRESS, I do a three things.

  • I get a haircut, because at least I got that handled.
  • I clean my office, so I'm not reminded of the chaos of my life by the chaos of clutter around me.
  • And I sync to paper. I get a Moleskine notebook (Here's how to pronounce Moleskine, BTW) and I find a clear page and I write down what's stressing me out. I sync all my devices to paper. Calendars, Todos, thoughts, life, to paper.

The physicality of it is very satisfying in a visceral way. I've tried to do the same on a Surface or iPad with a stylus, but it doesn't work for me. The removal of technology and the scratch of a good quality pen on paper (I use a space pen) is very cathartic. Often I'm working on solving a technical problem so stepping away from tech is as important as the paper. It's a forced context switch. Even more, as a kinesthetic learner I feel like the moving of my hands differently, even if I never refer to the written notes again, the process helps cement the issues.

True Story: If you watch the Microsoft BUILD Keynote (a big deal, in tech circles) you'll see me come out for my 15 minute demo holding my Moleskine notebook. No one else does this. In fact, they tease me a little about my notebook. In fact, I'm usually given a 30 page typed script to memorize. It includes screenshots, talking points, gotchas, demo instructions, passwords, all the stuff I need for my demo. Folks work on these scripts for weeks and then deliver them to me. It's VERY stressful for everyone. We sit together for days and go over these huge documents and I freak out and panic and then get out my Moleskine and synthesize 30 pages into one. Here's what I took on stage with me for the BUILD 2015 keynote. Insane isn't it? But without it I would have freaked out. Now the stage crew knows me as "the guy with the notebook." And yes, I know my handwriting sucks and that this is an unintelligible pile. It still worked, and worked well. ;)

I have horrible handwriting

When I'm completely a mess OR I'm trying to get my head around a large problem, I'll cover the floor with paper, or find a wall or large whiteboard and try to work it out.

We focus on touchscreen and pinch gestures a lot these days, but for me "zoom out" means literally and figuratively taking a step back from a piece of paper and trying to absorb the big picture.

Paper is the cheapest retina display you'll ever use. Give it a try, at least until I can afford a Surface Hub for my office. ;)

Microsoft Surface Hub

Do you sync to paper? How does it work for you?

UPDATE: I was pointed to a post from Robert Greiner who promotes the same idea! Great minds think alike. I encourage you to also read his thoughts on the concept, as they are different from mine. He likes the temporary aspect of paper, and the pain of writing as ways to keep one focused.

Related Links

* Messy Moleskine photo by Alexandre Dulaunoy and used under Creative Commons

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Publishing an ASP.NET 5 app to Docker on Linux with Visual Studio

May 27, '15 Comments [19] Posted in ASP.NET | Docker | Open Source
Sponsored By

Docker Apps are mostly portableIt's early days, but this is a nice preview of the possibilities of things to come. I often use LEGO bricks in the way of an analogy when talking about software systems. I like the idea of choice, flexibility, and plug-ability. Choosing your language, operating system, deployment method and style, etc are all important.

There is a preview of an extension for Visual Studio 2015 (the release candidate at the time of this writing) that adds Docker support. If you have VS2015 RC you can get the Docker Extension here. You can certainly manage things from the command line, but I think as you go through this post you'll appreciate the convenience of this extension.

NOTE: It's also worth pointing out that there is a Windows client command line for Docker as well. You can "choco install docker" and read about it here.

The Brief What's Docker Explanation

If you aren't familiar with Docker, here's the super basics.

  • Virtual Machines: You likely know what a virtual machine is. It's the whole operating system, the whole computer, virtualized. If you have a 10 megabyte app you want to run, you may end up putting it in a 10 gigabyte virtual machine and carrying it around. That gives great security and isolation as your app is all alone on its own private VM, but it's a little overkill. Now you want to deploy 100 apps, and you've got space, CPU, and other things to think about. VMs also start slow and have to be actively maintained.
  • Docker/Linux Containers (and Windows containers "Docker for Windows Server"): Docker containers are sandboxes running on the same OS kernel. They are easy to deploy and start fast.  As a side effect of running on the same kernel, containers let you share most of that 10 gigabytes (as an example number) of support software between lots of apps, giving you less isolation but also using a LOT fewer resources. Containers start fast and the underlying shared resources are what's maintained and kept up to date.

Docker also is a way to package up an app and push it out in a reliable and reproducible way. So you can say that Docker is a technology, but also a philosophy and a process.

Docker will work on Windows and Linux

Docker and Visual Studio

Once you have the Docker for Visual Studio 2015 extension (preview) installed, go ahead and make an ASP.NET 5 app. Right click the project and hit Publish.

Publishing to Docker from Visual Studio

Note the Docker Containers section that's been added? You still have PAAS (Platform as a Service) and can also publish to VMs within Azure as well. Select Docker and you'll be here:

Selecting a Docker VM

We'll make a new VM to host our Docker stuff. This VM will have be the host for our containers. Today it'll be an Ubuntu LTS VM. Note that the dialog includes all the setup for Docker, ports, certs, etc. I could use existing VMs, of course.

Making a Docker VM

If you don't have a VM, then the initial create takes a while (5-10 min or more) so hang back. If you already have one, or the one you created is ready, then march on.

Visual Studio put in all our Docker details

Make special note of the Dockerfile option. You'll usually want to select your own manually created Dockerfile, assuming you're doing more than just a Hello World like I am.

The ASP.NET Dockerfile is up on GitHub: https://github.com/aspnet/aspnet-docker and in the Docker registry: https://registry.hub.docker.com/u/microsoft/aspnet/

In the build window you'll see lots of docker-related output. Here's a snipped version for flavor.

VERBOSE: Replacing tokens in Dockerfile: C:\Users\Scott\AppData\Local\Temp\PublishTemp\approot\src\WebApplication6\Properties\PublishProfiles\Dockerfile
VERBOSE: Package output path: C:\Users\Scott\AppData\Local\Temp\PublishTemp
VERBOSE: DockerHost: tcp://hanseldocker.cloudapp.net:2376
VERBOSE: DockerImageName: webapplication6
VERBOSE: DockerPublishHostPort: 80
VERBOSE: DockerPublishContainerPort: 80
VERBOSE: DockerAuthOptions: --tls
VERBOSE: DockerAppType: Web
VERBOSE: DockerBuildOnly: False
VERBOSE: DockerRemoveConflictingContainers: True
VERBOSE: LaunchSiteAfterPublish: True
VERBOSE: SiteUrlToLaunchAfterPublish:
VERBOSE: Querying for conflicting containers which has the same port mapped to the host...
Executing command [docker --tls -H tcp://hanseldocker.cloudapp.net:2376 ps -a | select-string -pattern ":80->" | foreach { Write-Output $_.ToString().split()[0] }]
VERBOSE: Building Docker image: webapplication6
Executing command [docker --tls -H tcp://hanseldocker.cloudapp.net:2376 build -t webapplication6 -f "C:\Users\Scott\AppData\Local\Temp\PublishTemp\approot\src\WebApplication6\Properties\PublishProfiles\Dockerfile" "C:\Users\Scott\AppData\Local\Temp\PublishTemp"]
VERBOSE: time="2015-05-27T10:59:06-07:00" level=warning msg="SECURITY WARNING: You are building a Docker image from Windows against a Linux Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories."
VERBOSE: Sending build context to Docker daemon 28.01 MB
VERBOSE: Step 0 : FROM microsoft/aspnet:vs-1.0.0-beta4
VERBOSE: vs-1.0.0-beta4: Pulling from microsoft/aspnet
VERBOSE: e5c30fef7918: Pulling fs layer
VERBOSE: e5c30fef7918: Pull complete
VERBOSE: e5c30fef7918: Already exists
VERBOSE: Digest: sha256:27fbe2377b5d4e66c4aaf3c984ef03d22afbfee3d4e78e10ff38cac7ff162d2e
VERBOSE: Status: Downloaded newer image for microsoft/aspnet:vs-1.0.0-beta4
VERBOSE: ---> e5c30fef7918
VERBOSE: Step 1 : ADD . /app
VERBOSE: ---> cf1f788321b3
VERBOSE: Removing intermediate container dd345cdcc5d9
VERBOSE: Step 2 : WORKDIR /app/approot/src/WebApplication6
VERBOSE: ---> Running in f22027140233
VERBOSE: ---> 7eabc0da4645
VERBOSE: Removing intermediate container f22027140233
VERBOSE: Step 3 : ENTRYPOINT dnx . Kestrel --server.urls http://localhost:80
VERBOSE: ---> Running in 4810324d32a5
VERBOSE: ---> e0a7ad38eb34
VERBOSE: Removing intermediate container 4810324d32a5
VERBOSE: Successfully built e0a7ad38eb34
The Docker image "webapplication6" was created successfully.
VERBOSE: Starting Docker container: webapplication6
Executing command [docker --tls -H tcp://hanseldocker.cloudapp.net:2376 run -t -d -p 80:80 webapplication6]
Docker container started with ID: 6d4820044df200e87f08cb5becbec879d1b58fcab73145ca3aa99a424c162054
To see standard output from your application, open a command line window and execute the following command:
docker --tls -H tcp://hanseldocker.cloudapp.net:2376 logs --follow 6d4820044df200e87f08cb5becbec879d1b58fcab73145ca3aa99a424c162054
VERBOSE: received -1-byte response of content type text/html; charset=utf-8
Executing command [Start-Process -FilePath "http://hanseldocker.cloudapp.net/"]
Publish completed successfully.

The interesting parts are the calls to dnx (the .NET Execution host), the warning that I started on Windows and I'm going to Linux, as well as the fact that we're using the "microsoft/aspnet" docker image.

ASP.NET in a Linux Docker Container

In my example, I had VS and the extension make my certificates. If I want to connect to this instance from the Windows Docker command line, I need to either pass those certs in, or set an env var. Here I'm running "ps" to see the remote docker containers in this Azure Linux VM. The Docker client looks in %USERPROFILE%\.docker for certs., so you just need to set DOCKER_HOST or pass it in like this.

C:\>docker --tls -H=tcp://hanseldocker.cloudapp.net:2376 ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6d4820044df2 webapplication6:latest "dnx . Kestrel --ser 58 minutes ago Up 58 minutes 0.0.0.0:80->80/tcp silly_poincare

It worked great. Also be sure to explore the PublishProfiles folder that gets created in your Visual Studio project under "Properties." A PowerShell script and a Shell script get created in that folder that you can use to publish your app from the command line. For example:

.\hanseldocker-Docker-publish.ps1 -packOutput $env:USERPROFILE\AppData\Local\Temp\PublishTemp -pubxmlFile .\hanseldocker-Docker.pubxml

or from Linux:

cd ProjectFolder (like WebApplication/src/WebApplication)
source dnvm.sh
dnu restore --no-cache
mkdir ~/Temp
dnu publish . --out ~/Temp/ --wwwroot-out "wwwroot" --quiet
cd Properties/PublishProfiles
chmod +x ./Docker-publish.sh
./Docker-publish.sh ./Docker.pubxml ~/Temp/

I'm looking forward a cross-platform cross-tools choice-filled future. Finally, there's a great 7 part video series here called "Docker for .NET Developers" that you should check out on Channel 9.


Sponsor: Big thanks to Atalasoft for sponsoring the blog and feed this week! If your company works with documents, definitely check out Atalasoft's developer tools for web & mobile viewing, capture, and transformation. They've got free trials and a remarkable support team, too.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.