Charles Engelke's Blog

November 28, 2011

HTTP Strict-Transport-Security

Filed under: Uncategorized — Charles Engelke @ 3:28 pm
Tags: ,

I figured it would be easy add HTTP Strict-Transport-Security to a web application, so I gave it a try. It was easy to add it. But not that easy to get it to work.

The purpose of Strict-Transport-Security is for a web site to tell browsers to only connect to the site via a secure connection, even if the user just enters a normal http:// URL. The site I was working on already redirected all http requests to a secure connection, so what’s the point of this here? In this case, just to avoid a potential (but for this site, unlikely) man-in-the-middle attack when the user first connects. That non-secure initial request could be intercepted and the user redirected to some other site that looks right, but is an imposter. With Strict-Transport-Security, the browser will never even make the initial non-secure request, avoiding this possibility.

Adding this to a web site is trivial: just return a special header with the secure web pages. For example, I returned:

Strict-Transport-Security: max-age=7776000

Once the browser sees this header from any secure page on your website, it is supposed to remember (for the next 7,776,000 seconds, or 90 days) to never try to connect to the site other than by a secure connection. It’s also supposed to prevent the user from overriding any SSL certificate warnings, so if somebody does spoof your website with a bad certificate it won’t even give the user a chance to override the warnings and connect to the site.

Only it didn’t do that. It didn’t do anything at all that I could tell. I had a self-signed certificate, and the browser let me override the warning. I had a certificate with a name not matching the URL, and the browser let me override the warning. I tried to connect via http instead of https, and the browser went ahead and did it. (By the way, by “browser” I mean Chrome, but Firefox and Opera behaved the same way.)

It turns out that the browser will only obey this header if it is sent from a secure web page (as clearly stated in the documentation) that has no certificate warnings or errors (something I didn’t realize). Once I set up my test site to appear to be at the production URL, the Strict-Transport-Security header started working as expected.

I wasn’t expecting it to work this way, but it turns out to be really useful behavior. Now I can deploy test and development sites with wrong certificates (self-signed, or for the production instead of test URL) and not have Strict-Transport-Security lock me out. It only activates the lock in the first place if you’ve already shown you can open it, by first connecting to the secure site with no certificate problems. Now I just have to be careful to check that it does work when put into production.


November 17, 2011

Kindle Fire out of box experience #kindle

Filed under: Uncategorized — Charles Engelke @ 8:37 am
Tags: , ,

My new Kindle Fire was waiting for me when I got home last night. So far, I’m very impressed.

It was packaged in a custom cardboard shipping box, opened by peeling off a well-marked strip. Once opened, there were only three things in the box: the Kindle Fire itself, a micro-USB power supply, and a small card welcoming the user and telling how to turn it on. The Kindle Fire was in a plastic wrapper that was a bit hard to slide off, though I could have just torn it off if I’d been in a hurry.

I guess I hit the power button while I was removing the plastic wrapper, because once I got the Fire out it was already turned on. I had to drag a ribbon (from right to left for a change) to get the first welcome screen to show.

What a contrast to when I turned on an iPad for the first time! The iPad just showed me an icon ordering me to connect it to a PC (which also required downloading and installing iTunes). With the Kindle Fire, I was just taken through a short dialog. I was first prompted to connect to a Wi-Fi network. The unit showed me available ones, I picked mine, and entered the password when prompted. The I went to a registration screen, which in my case didn’t require any effort at all because Amazon had already set it up. It then started downloading a software update and suggested I plug it in to get a full charge. I don’t know why a brand new unit should need a software update, but this was only a minor annoyance.

It was already about 90% charged, but I plugged it in anyway and waited the couple of minutes the download required, and then got back to the unit. And that was it, the Kindle Fire was ready to use, and registered with Amazon. All my books and music were available immediately (when I clicked the Cloud button instead of the Device button), as well as several apps.

I opened my current book and it took only a few seconds to download it to the device and open it to the current page I was reading. Amazon Prime video played back perfectly, as did my music I already had in Amazon’s cloud. I installed Netflix and entered my credentials, and it played back great as well.

Oh, I also installed the Barnes and Noble Nook application. That wasn’t in Amazon’s app store (go figure) but was easy to get using GetJar. It works great, too. Though I’m unlikely to actually buy any non-free books with it, because why would I? Thanks to the apparent collusion between Apple and the major book publishers, most book prices are fixed and cost the same regardless of seller. I like Amazon’s ecosystem, so there’s no reason to deal with anybody else.

How do I like the Kindle Fire as a tablet? It’s too early to tell much, but the smaller form factor is definitely better for me than the iPad or Galaxy Tab 10.1. It’s easy to hold it in one hand while using it, and the display is plenty large enough to use well. I think this form factor is going to become much more common than the larger ones.

Blog at