Fun with HTTP Strict Transport Security!

At the moment I write this, something odd is happening with the US Senate site (if you view it in Chrome at least). If you go to http://www.senate.gov/, you will see the home page.

But, if you go to https://www.senate.gov/, you will see an error message telling you that HTTPS isn't working, and a link to go back to HTTP instead.

Clicking the link - which does actually point to HTTP instead of HTTPS - will, however, cause the browser to re-request https://www.senate.gov/, which of course you can't get to because of the error. So, your next diagnostic step might be to close your browser and reopen it, then explicitly enter http://www.senate.gov/. This will cause your browser to AGAIN request https://www.senate.gov/ instead of http://www.senate.gov/. What gives?

The cause of this behavior is something called HTTP Strict Transport Security, or HSTS. I ran into a problem with HSTS a few months back, but the problem was on an internal site that I couldn't share in a blog post.

Basically, HSTS tells browsers to ONLY use HTTPS for some period of time after the first HTTPS request. The initial HTTPS response will include a response header called, appropriately enough, Strict-Transport-Security. This header will contain a max-age value in seconds, and for the duration of that time, the browser will only send HTTPS requests to the server. Any HTTP links in documents from that server will automatically be treated as if they were HTTPS requests. The odd thing here, arguably, is that the response header can actually be sent back with an HTTP response, and will have no effect until an HTTPS request is made, at which point all subsequent requests must be HTTPS until the time has elapsed. This time period may be quite long - in the screenshot below, it's one hundred and eighty days!

Another feature used to enforce HTTPS usage is called Upgrade Insecure Requests. This is often used with HSTS. It's a Content Security Policy that servers can ask browsers to use in their initial HTTP response headers, or that browsers can use without prompting. If a browser supports it, it'll send a corresponding HTTP request header:

Upgrade-Insecure-Requests: 1

This will allow the server to serve an HTTPS alternative if one exists. Modern versions of Chrome and Firefox do this for every page request, but Microsoft Edge does not. Here's a screenshot showing the server Content-Security-Policy directive and Strict-Transport-Security response headers, and the Upgrade-Insecure-Requests request header.

Each of these is a good and valuable feature for improving HTTPS security, but together they can cause some odd problems. The problem I ran into, specifically, was a combination of issues. Note the attributes of Strict Transport Security in the previous screenshot. Not only is there an age, but also an "includeSubdomains" directive.

Let's say you have http://someapp.domain.com/. And on that site, you include a CSS file that's used by the "main" site http://domain.com/. This is a pretty common practice. Now, let's say that HTTPS is enabled on domain.com. If you use Chrome or Firefox, they will read the HTTP URL from the default document on someapp.domain.com, then send an HTTP request for that URL to domain.com - along with the Upgrade-Insecure-Requests header. That server will then redirect the browser to the HTTPS version of that URL, and send back the Strict-Transport-Security response header.

On your next page request to http://someapp.domain.com/, Chrome or Firefox will then automatically request https://someapp.domain.com/ instead! This will cause a problem if you don't actually have a TLS certificate installed on your server. You can address this by (a) adding a valid, signed TLS certificate to your server, or (b) removing requests to external servers that support HTTPS within the same domain.

If you use HTTPS everywhere, which is strongly recommended, you won't have this problem. Until then, be careful!

[Note: cross-posted on the Fig Leaf Software blog]

Screen scraper changes between GSA 7.0 and 7.2+

Background

A few years back, the Google team at Fig Leaf Software built a custom application in .NET to manage Google Search Appliance functionality using a rules engine of sorts, rather than requiring manual interaction with the GSA. I didn't build it; we have a very skilled .NET development team that did almost all of the heavy lifting, and all I had to do was build a very simple prototype.

Upgrading Surface Pro 3 from Windows 8.1 to Windows 10 - First impressions

I've been using a Microsoft Surface Pro 3 as my primary work computer for about eight months, after upgrading from a Surface Pro 2 which I could never quite get used to for doing all of my work. The Surface Pro 2 was very portable, but a bit unwieldy and clunky for using at a desk. I held off on getting the Surface Pro 3 because I didn't think it would be so much better than the 2. In retrospect, I wish I'd gotten it the day it came out.

For work, I primarily use it as a regular laptop, although it works very well as a tablet for reading books, quickly checking email and similar tasks. It has a detachable keyboard, and attaching it makes it work in "desktop" mode, more or less. But one problem with Windows 8 is that tablet (or "Metro") mode and desktop mode are so different, and some tasks make you switch from one to the other and back again. Connecting to a wireless network, viewing images, and updating Windows all involve switching back and forth between desktop and tablet mode, if you start in desktop mode in the first place. It definitely is a bit confusing for me, even after using it as long as I have.

Windows 8 also doesn't have a Start menu. When you click on the Start icon, the one that normally opens the Start menu in Windows 7, it takes you back to tablet mode. To find the program you want to start, you then have to swipe up to get to the Apps screen, then swipe left to get to the second page of Apps icons ... yecch. I've mostly gotten used to these UI quirks, and I also installed a Windows 7-style Start menu application, but I was definitely interested in seeing how Windows 10 resolved these issues. On the other hand, I didn't want to find out by installing a prerelease version of Windows 10 on my primary work computer.

So, today, Microsoft rolled out Windows 10 for free to users of Windows 7 and up. About a month ago or so, Microsoft provided a patch to Windows 7 and 8 users allowing us to sign up to download the new OS and install it on release if we chose, or to install it later. I'd planned to install it later - much later - but tonight, I decided to just do it. Something today, I'm not sure what, reminded me of the first time I installed Windows 2000, and how much fun I had playing around with IIS 5 and the other new features.

Before installing a new OS, I like to take a system image just in case something goes wrong. Windows 8.1 has a way you can do this, in theory, but it's pretty well hidden away. I'd never used it, and I still haven't - I couldn't get it to work. I did get it to return several different eight-digit error codes, but apparently there are lots of reasons why it might not work, and not many explanations about how to fix those reasons. Not exactly an auspicious start, and after a couple of hours trying to get it to work I just gave up and decided to do the install anyway.

On the bright side, the install itself was the smoothest OS upgrade I've ever seen. It just worked. It took about half an hour for the actual install - the download had completed automatically well in advance. The install went through three phases, and rebooted the computer a couple of times, but that was it.

After the reboot, I was prompted to log in with the same account I'd used with Windows 8.1 - an online Microsoft account - and was able to log in with the PIN I'd previously set instead of the account password. Next, I was asked about some default programs and data collection by Microsoft. After all that, I reached the desktop, which looked somewhat similar to the previous desktop, but not identical - the taskbar has a search box, and the system tray icons are high-contrast compared to their predecessors.

The Start menu is actually ... a Start menu! It's kind of an interesting mix of desktop and Metro tile functionality, and you can pin your own tiles to it, which is good enough for me. It didn't automatically add the items I'd previously pinned to the Start menu, but since I'd been using a third-party Start menu in Windows 8.1 I shouldn't be surprised.

Next to the Start icon, there's a search box. When you click into the search box the first time, you'll be prompted to set up Cortana, which so far looks like Microsoft's version of Siri and Google Now.

Next to that, there's a "Task View" button that shows you one or more desktops, each with whatever windows are open on them.

The last thing I've looked at so far is the new browser, Microsoft Edge. Windows 10 still comes with Internet Explorer for legacy use, but the default browser is Edge. I haven't used it enough yet to draw any conclusions other than "one more thing for web developers to test against".

I'll have to play around with all of these things for a while before I can say anything about them one way or the other.

My favorite part of the upgrade was simply that everything worked! All of my previously installed software, including numerous VPN clients, all seem to work just as they're supposed to. Performance seems good so far. I had good performance with Windows 8.1, and this seems to be about the same.

So far, I'm glad I did the upgrade. For people running Windows 8.1, I think Windows 10 is a sensible upgrade that addresses some of the internal UI contradictions that many people complained about. I don't plan to upgrade my Windows 7 desktop just yet, but I think Windows 10 is a better fit for desktops than 8.1 was.

Comparison of Google Search Appliance 7.2 and 7.0 Admin Consoles

The latest major version of Google Search Appliance software, GSA 7.2, was released on 12 February 2014, and introduced a ton of new features. One of those features was a significantly redesigned admin console, with restructured navigation menus. Prior to 7.2, the admin console hadn't changed in many years, so when I started working with 7.2 I had a bit of trouble remembering where to find specific menu items in the new admin console. I've heard GSA customers and students having the same problems finding things. In fact, one person I talked to actually backed out of a system upgrade because he couldn't find items in the new console! (The ability to back out of a system upgrade is itself a new 7.2 feature, by the way.)

So that's the motivation behind this blog post. Within the 7.2 release notes, there's actually a specific list that maps old menu item locations to new ones, but I thought that a little visual representation might help. This post will help you navigate from GSA 7.0 to GSA 7.2.

Google Search Appliance 6.14 deprecation, and how to upgrade your GSA

Yesterday, Google informed its customers that Google Search Appliance 6.14 has been deprecated. The earliest supported GSA software version is now GSA 7.0. If you're using the Google Search Appliance, and haven't upgraded to at least 7.0 or higher, you should do this as soon as possible!

My heart bleeds for you (security-wise, anyway)

What is Heartbleed, and why should I care?

If you've paid any attention to tech news over the last few days, you may have heard of a serious vulnerability called Heartbleed. In a nutshell, this is a vulnerability found in OpenSSL. What's OpenSSL? It's the program used by many web servers to provide HTTPS access via Transport Layer Security (TLS, which we used to call SSL). In other words, when you open a browser and buy something on Amazon, or log into Google Apps, you're connecting to a web server that uses TLS.

Managing Chrome: Adding Existing Apps to the Chrome Web Store Domain Collection

Recently, my coworker and good friend Steve Drucker put together a blog post about Chrome Web Store apps useful for developers. I liked it, mostly because I've been using a couple of those plugins a lot myself lately - especially Postman, which is a great little tool for building and sending HTTP requests. It's great for REST testing!