social login in combination with social websites

  • 2
  • Question
  • Updated 3 years ago
  • Answered
We want to use social login at our customers. Today I discovered that the CWP is not showing when initially surfing to www.facebook.com, www.google.com or www.twitter.com, it should be caused by the wildcards that are used. I also want the CWP when users browsing to google or facebook, because it are the most common sites. Is there a way to get this done?
Thx!
Photo of Hans Matthé

Hans Matthé

  • 42 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There is absolutely nothing that you can do about this. These sites all use HTTPS by default with either hardcoded special treatment in most Web browsers as they are high value sites or they use a HSTS HTTP header that instructs the Web browser to only allow HTTPS even if HTTP is entered.

(Internet Explorer is the only major browser that does not yet have HSTS support and it's coming in version 12.)

It would be a security flaw in a Web browser if you could redirect otherwise when a HTTPS URL is followed, so you can't.

The only way out of the woods is out-of-band CWP detection by an operating system that intrinsically avoids this problem.

This is only going to become a more prominent issue with http://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html and https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 42 Posts
  • 2 Reply Likes
Nick

Thx for the feedback, I was not awear of the https story. I only don't grasp why it is not possible to get this done? When we use a CWP, we can configure https traffic, no?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Because when the Web browser requests https://www.example.com/ it would be a security flaw were it possible to transparently redirect it somewhere else so no Web browser allows you to do this.

Instead, you will get a certificate error in the Web browser or it will be prohibited altogether where it's a pinned certificate (a hardcoded restriction for high value sites).

With HSTS or hardcoded special treatment, even where a user follows a URL to http://www.example.com/ the browser will instead request https://www.example.com/
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 42 Posts
  • 2 Reply Likes
Ok, but when we use a default CWP at a Aerohive SSID with https enabled, the browser is redirected to the CWP, I don't see why this can not be donde for the social login page. It is just a temparary redirection, and with the proper certificates used It shouldn't be a problem, no? 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That is redirecting from a HTTP URL requested to the HTTPS address of the CWP which is possible. It is entirely different to redirecting from a HTTPS address to the HTTPS address of the CWP, which is not possible. Think about it conceptually.

With special hard coded behaviour for high value sites in Firefox and Chrome and HSTS, it becomes impossible to make HTTP requests for these sites.

On the Microsoft front, support is coming for HSTS in IE 12 so time is ticking there too:

https://status.modern.ie/httpstricttransportsecurityhsts?term=hsts

May I suggest that you read and digest:

http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitiga...
(Edited)
Photo of Gary Ossewaarde

Gary Ossewaarde

  • 12 Posts
  • 0 Reply Likes
Has there been any update on this? I'm looking to implement social login but having users able to browse Twitter/Facebook/Google without accepting AUP/signing in first is a nonstarter.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It would be fantastic to have this be configurable on a per-domain basis. This should be abstractly possible even with HTTPS because of the SNI extension that would allow bypass instead of block to occur.
(Edited)