Wireless Water Cooler

last person joined: 15 days ago 

Hang out and socialize with other community members in this off topic forum. Everything from industry trends to hobbies and interests are welcomed!
Back to discussions
Expand all | Collapse all

How are you all dealing with HSTS?

This thread has been viewed 24 times

  • 1.  How are you all dealing with HSTS?

    Posted Jun 01, 2015 01:43 PM

    http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    http://www.chromium.org/hsts

     

    Now that browsers are enforcing this for HSTS enabled websites and this directly affects captive portal redirection, I am curious to find out how you are dealing with it?

     



  • 2.  RE: How are you all dealing with HSTS?

    Posted Jun 05, 2015 08:57 AM
    No one uses captive portals?? :)


  • 3.  RE: How are you all dealing with HSTS?

    Posted Jun 21, 2015 06:33 AM

    as mentioned in another thread i don't see how HSTS comes into play here. redirecting HTTPS has always been problematic i believe, HSTS just makes it harder.

     

    [EDIT] oh i do see a scenario now, you go to your favorite website which used to be HTTP based but is not HTTPS with HSTS, is that it?



  • 4.  RE: How are you all dealing with HSTS?

    Posted Sep 10, 2015 09:08 AM

    We first encountered this while testing, prior to rolling out our captive portal...   Once a guest had connected to the ssid, and opened up a browser, if the browser happened to be requesting a https site, which has using hsts, the captive portal would not appear.  We were actually seeing cert errors where the client was trying to validate the site agains our domain server cert.  Try a http sit, and boom.. captive portal appeared.  

     

    Force of habit, we always try google.com when launching abrowser, and couldnt understand why we were not getting the portal, the same also for yahoo.com, and thought the prob was with the controller not hijacking https sites properly  -  then we learned of the hsts issue.  

     

    Ive tried to add these known sites to the capriveportal whitelist, but this hasnt helped, although Im not seeing any traffic attempting to leave our firewall, but am thinking this may be down to the way the pre-auth role is wokring, so I need to do further testing.  I dont even know if this will fix it... but worth a go, as until this issues is resolved by Aruba, Im not sure we can role this out...



  • 5.  RE: How are you all dealing with HSTS?

    Posted Sep 10, 2015 09:18 AM
    This is not an Aruba issue, unfortunately this is the way it is. We are also struggling with this and you cannot hijack the https request and deliver a captive portal. You can but that would be illegal I believe.

    What needs to happen here is that you need to let the devices behave the way they should, therefore with Apple, the CNA will appear, with Android there will be a popup that appears in the drawer at the top, for Windows laptops, you will see a bubble appear in the lower right hand corner. With Chrome, if you navigate to an https enabled website and it detects a captive portal, a new tab is opened which redirects the user to something like gstatic.com which uses port 80 to trigger the captive portal.

    These mechanisms are available to users so they must be taught and educated to use them and not dismiss them.

    If you add sites to a whitelist you are simply masking the problem.

    Each browser behaves differently and either uses the HSTS list or does not but https redirect is the same for all, you will get a certificate error.
    For example, IE 11 on Windows 7 does not implement the HSTS list, therefore if you navigate to www.facebook.com, you will get a certificate error and you will be allowed to proceed. With Chrome, you will not.
    Windows 10 changes that for IE.

    I hope this helps in your understanding


  • 6.  RE: How are you all dealing with HSTS?

    Posted Sep 11, 2015 04:56 AM

    Thanks for the clarification...  

     

    I had been told by Aruba TAC that they would be working on a way to make HSTS sites work with CP, but perhaps the person I was dealing with disnt fully understand the complexitiies of the issue, and as you say, it cant be managed by Aruba so other machanisms must be implemented.  I had been advised to add them to whitelist them as a workaround.  TAC had been looking into this issue for us for several weeks and I had had many remote sessions, and it was only when I referred back to a post on these forms about HSTS, di they then confirm this problem.  Could have save several weeks of to-ing and fro-ing if this had been mentioned first!

     

    "What needs to happen here is that you need to let the devices behave the way they should, therefore with Apple, the CNA will appear, with Android there will be a popup that appears in the drawer at the top, for Windows laptops, you will see a bubble appear in the lower right hand corner. With Chrome, if you navigate to an https enabled website and it detects a captive portal, a new tab is opened which redirects the user to something like gstatic.com which uses port 80 to trigger the captive portal."

     

    Yes, any of these would be great, but nne of this happens for us, so I need to look into why.   Makes sense now why Windows devices were working! 

     

     

    Time for more testing!

     

    With a home page set to www.google.com (HSTS)

     

    On iOS, when joining Guest network CNA doesnt appear, safari just moans about no conneciton to secure server, and chrome does the same and comlains about connection not being private, in either case you cant carry on.  

     

    Android does the same as iOS with no option to accept error and continue.

     

    Whilst the windows devices work, depening on course on what OS/IE you have, the majoriity of users will be using iOS or Android... so at the moment, this is a big stumbling block for us.

     

    Whilst this does only affect devices that try to connect to a hsts website upon connecting to the portal, which, unless your homepage is set to google.com or other hsts site, could be a small amount of users, it could be difficult to publicise information on what to do.  We were simply hoping that people would either discover the Guest network, or staff could tall them if asked, without too much assistance. 

     

    Cheers

     



  • 7.  RE: How are you all dealing with HSTS?

    Posted Oct 13, 2015 06:14 AM

    Seems somewhat odd that this issues doesnt affect onboarding..  I can connect to the SSID and if I try to browse to google/yahoo (as previously tried on Guest CP, which failed due to hsts), the Onboarding portal kicks in...  So why does this bit work, yet the Guest CP doesnt?



  • 8.  RE: How are you all dealing with HSTS?

    Posted Oct 25, 2015 07:10 AM

    that is quite odd, your onboard page does start on https?

     

    you are sure there isn't some caching happening or such?

     

    only way to be sure is to do some packetcaputures or save the http information to check what happens.



  • 9.  RE: How are you all dealing with HSTS?

    Posted Mar 16, 2022 05:55 PM
    It should work if you use Role Based Access Control and explicitly assign a pre-auth role. In this pre-auth role, you allow the domains you need i.e. facebook.com.

    Do not use allow all rule. It seems that the IAP have an implicit security rule that does not work with allow all in a pre-auth role.

    ------------------------------
    MAURICIO LOPES
    ------------------------------

    Original Message