Strict Transport Security

Most of the controls for STS seem to occur on the client end. Implementing looks to be a fairly simple iRule, inserting a header with appropriate options for your policy and limiting access to non-ssl resources on the client-side. The problem is going to be handling non-compliant browsers. I know Chrome supports it already and FF4 will have it, but what about IE and the others? That's a large chunk of site visitors, so you would need a mechanism (simple HTTP::respond with "Please use browser X, Y, Z" would work) to inform the users. It's always tricky to enforce adoption without losing users.

Hi, thanks for the answer.

 

Regarding that you will loose users that don´t have STS compatible browser isnt¨t true i think.

 

If you don´t have a UA that support STS then you don´t have this security feature.

 

 

So have anyone tryed to use a irule for this or another thoughts of STS and f5?

 

Not saying you will lose users, just noting it's a consideration. I haven't heard anything on STS specific to F5. I'm going to write a tech tip on it that will be released later this month. Any other questions you have or implementation ideas? I'll try to work them in.

This is really interesting, thanks for posting. The good news is that you can accomplish most all of this by simply forcing every request through an SSL enabled virtual server. You can force any non-https request to that VS address back over to the SSL enabled VS. Also, stream profiles can rewrite non-https references for you on the fly.

 

 

I'm not saying that this is a superfluous concept at all, but it seems that with an ADC you can actually enforce much of this behavior so you're ahead of the game before you've even started. As far as inserting the header, I agree that this looks totally possible.

 

 

-Matt

Mmm... The one advantage you still don't get is the possible leaking of information on the HTTP connection still... There's no way to work around that except to just drop connection attempts to port 80 (Which then goes full circle).

 

 

BUT at the end of the day, it's all still IMNSHO mostly an attempt to make apps with bugs or design faults in them 'work properly'... if the app DID work properly, there would be no need for the port 80 traffic, and no need for STS either (How many times have you seen anything like STS for IPSec for an extreme example?)

 

 

The part about making cert errors fatal and not allowing you to click around them however is a good one... That would help for some 'stolen' sites, DNS corruptions etc..

 

 

Maybe it's time to step back and look at security properly on the Internet... Rather than trying to patch protocols that weren't intended to be used in this way... (As good as they are, there's almost always a way to break them when inserting security. Sadly that's probably not going to happen, because developers will always look for a way to have the security broken to make it easier for the user or to make their app actually work around a bug they left in it... Which generally means less secure).

 

 

Sorry... It's monday and I'm feeling cynical...

 

 

 

H

Posted By L4L7 on 09/12/2010 08:42 PM

 

This is really interesting, thanks for posting. The good news is that you can accomplish most all of this by simply forcing every request through an SSL enabled virtual server. You can force any non-https request to that VS address back over to the SSL enabled VS. Also, stream profiles can rewrite non-https references for you on the fly.

 

 

I'm not saying that this is a superfluous concept at all, but it seems that with an ADC you can actually enforce much of this behavior so you're ahead of the game before you've even started. As far as inserting the header, I agree that this looks totally possible.

 

 

-Matt

 

 

This assumes all traffic goes through an F5 BIG-IP. Yes, we can do that, but not all appliances can. Maybe this std is to protect users who deploy "the other guy?" Just a little early Monday humor, folks, no need for flames...

Forgot to post back that I actually did write the article: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084416/Implementing-HTTP-Strict-Transport-Security-in-iRules.aspx Click Here