« DAVTest: Quickly Test & Exploit WebDAV Servers | Main | Mozilla releases browser checker to see if you're running vulnerable plugins »

Release of Strict Transport Security http module for ASP.NET.

Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog

"I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and I don’t expect it to change much for the next few years.

One of the new proposal I’ve stumble upon is the Strict Transport Security proposal which is being sponsored by Paypal  and currently supported by the Google Chrome browser. The spec is still under review and the latest version is available at http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html .

The proposal is quite simple and aims at forcing the browser to only connect over SSL by redirecting HTTP traffic to HTTPS at the browser level so that no connection is made over HTTP. This is implemented by adding a server component that provides the browser with a connection policy and by a browser component which enforce the policy provided by the server."


"After reading the specification, I realize that implementing the server processing is quite simple under ASP.NET and decided to implement a quick STS HTTP Module for ASP.NET and make it available."

Link: http://blogs.msdn.com/sfaust/archive/2010/05/12/strict-transport-security-asp-net-module.aspx


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

I see the merit, but why is this any better than simply forcing the user to connect to the corporate network through a VPN and maybe even a special locked down vpn only browser (that must also be up to date, etc to connect in the first place)?

The goal is for public websites to inform the client to only ever connect to them over HTTPS. For example Bank of America could set a policy to ensure you never try connecting over HTTP. People on public networks (hotel, coffee shop, etc) in particular are easy targets for SSLStrip type attacks which STS prevents.

Post a comment

Remember personal info?