Changes to Azure Certificates and HPKP

An email landed in my inbox this morning from Microsoft Azure regarding HTTP Public Key Pinning, a subject I have posted about at some length recently. If you don’t know what HPKP is or how it is used, refer back to some of my previous posts on the subject.

A normal HPKP implementation would see you configure your website to pin your own public certificate. Whilst I would advise against it because you have no ownership or control over the certificates, it would be entirely possible to pin the Microsoft Azure Websites certificates using HPKP to your site. The email from Microsoft this morning was an advisory that Microsoft is changing the certificate it uses.

If you are using HPKP and think there is a chance you may have pinned the Microsoft certificates, I would strongly advise you to read the Microsoft Knowledge Base article at https://blogs.technet.microsoft.com/kv/2017/04/20/azure-tls-certificates-changes/?WT.mc_id=azurebg_email_Trans_33716_1407_SSL_Intermediate_Cert_Change for more information.

If you are unsure if you are using HPKP or if you are unsure of which public keys you have pinned, I would suggest you use the Qualys SSL Test site as this will report the certificates in use with HPKP and whether it is enabled.

Add Brotli Support to an Azure Web App

Deflate and GZip compression have been with us on the web for many years. They do a decent job but as times move on, so do compression algorithms. This is something I have talked about before using services like TinyPNG to squeeze the spare bytes out of your images to reduce page load times but this only applies to images obviously.

Brotli is a Google project for a newer, more modern compression algorithm for the web. According to the claims of Google, using Brotli over GZip not only increases the content compression reducing page size but also reduces CPU usage in the decompression process too. With the ever expanding usage of mobile devices, both of these are great things to have.

If you are interested in reducing your page size to improve load times and reduce your outbound bandwidth on your site then read on to learn now. I will cover the requirements, fallback compatibility and also how to get Brotli for Linux and Windows as well as the main point, how to enable it for an Azure Web App.

Read the Full Post

MySQL and PostgreSQL Database as a Service in Azure

Today is the day that ClearDB users rejoice. Today is the day that a viable platform as a service offering for both MySQL and PostgreSQL exist in Microsoft Azure. Announced last night, Microsoft have now launched their own platform as a service offerings for the two database engines.

For years, ClearDB have offered a PaaS solution for MySQL. I had the misfortune of trying it out first hand recently on a web project and I can tell you that the performance was shocking. So bad was the performance that we actually deployed a Linux VM in Azure to run the MySQL service in IaaS and take the management hit on IaaS vs. PaaS. Even the support offered was terrible, blaming the performance on Azure itself when there were no issues with the Azure platform globally at the time.

The announcement puts these new services in preview. This means that the services and features aren’t going to be ready for your production workloads nor are all of the features going to be available right now. For example, I deployed an Azure Database for MySQL server last night to try it out and the Basic pricing tier is the only tier available right now. The ability to force all connections to secure and to define firewall rules for access is important and good to see there from day one.

All in all, it looks like a good first release. As I have been using In App MySQL database for Azure Web Apps to run the MySQL database on this site for sometime now (since preview in fact), and I have been debating whether to step back to IaaS for MySQL because of the fact that In App MySQL limits my ability to use features like Azure Load Balancer or Azure Traffic Manager with multiple site instances, this is going to be something I can definately see me using in the near term for real.

You can check out the documentation, pricing and scaling details for yourself at https://docs.microsoft.com/en-gb/azure/mysql/concepts-servers.

The Case of the Missing Azure Portal Detach Button

This is going to be a really quick post but one I thought may be worth sharing. Imagine that you are working in the Azure Portal and you are trying to update a Virtual Machine configuration to detach an existing data disk on the VM. You’ve done everything right following the steps at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk by stopping the VM and waiting for it to fully stop.

For normal users, this wouldn’t be an issue however if you are like me and you care for your eyes and have switched to the dark theme in the Azure Portal, you are in for a problem. When you select Edit on the disk configuration of the VM, you notice that the Detach button that the Microsoft article refers to is missing as shown below.

The Detach button should be visible just to the right of the Host Caching drop-down menu but as you can see, it is not.

It turns out, this is a bug in the Azure Portal when using the dark theme and I have reported this already. If you switch to one of the other theme colours, the button magically appears.

The problem is that the buttons are meant to change when you select the dark theme. If you look at the Save and Discard buttons at the top of the screenshot, you can see that in the dark theme, these two buttons are white to constant with the dark background and when using the white theme, these buttons are black to contrast with the background. The Detach button at the moment, doesn’t appear to be properly changing between white and black to cater for the background colour in use.

HSTS Preloading with Azure Web Apps

In previous posts, I’ve talked about implementing web security features such as HTTPS, CSP, HPKP and HSTS. Almost all of these are things we can configure ourselves within our web applications responses to client requests however one of these features, HSTS requires a little more work to fully implement.

HSTS is a technology of two halves. HTTP Strict Transport Security (HSTS) is a feature which allows a website to instruct the client that it should never be downgraded to HTTP and should only ever request and receive data from the site over HTTPS. We can easily implement this, in the case of Windows and IIS, using a web.config file outbound rewrite rule which I covered in the previous post, Working Hard on Web Security.

The trouble is, this is only half the battle. If a client repeatedly visits your site, their browser will know as a result of previous visits to always use HTTPS due to having previously seen the HSTS header but what about new visitors? What happens if your site is victim of a downgrade attack between you implementing HTTPS and HSTS and the first time a user visits? Their browser doesn’t know it should be using HSTS already so we have a problem.

Read the Full Post

Restricting Azure Resource Deployment by Region

This week, I’ve been studying some topics ahead of my 70-533 exam and one of the topics that I covered which I though would make a really relevant and hopefully not too long of a post would be the subject of restricting Azure resource deployment to specific regions.

Many organisations have considerations around data privacy and sovereignty. For me and many folks in the UK, right now that means your data is probably living in an Azure region in Europe. Either Dublin or Amsterdam. With the UK datacentres being brought online fairly recently and the available features growing month by month, it makes using those regions more appealing. With the prospect of Brexit and how your data soverignty may be effected by that shake up could potentially make those UK datacentres even more appealing in the months and years to come.

With an out of the box Azure subscription, we have the power to deploy resources to any region we like be it UK, US, South America or Asia but with these privacy and data protection concerns wouldn’t it be great if you could limit this so that even the most well trained administrators and users cannot accidently place your data on the wrong side of a pond?

Read on below the fold and I’ll explain how to create an Azure Resource Policy and how to apply that to your evironments.

Read the Full Post

The GitHub Deploy to Azure Button

This is a really quick post but one I thought was worthy of getting down somewhere.

I’m starting to use GitHub more and more as a source for content and as I find myself wanting to produce the odd piece of content as well, I figured GitHub is where everyone else is sticking their Azure Resource Manager code so I should do the same.

For anyone that has looked on the official Azure team GitHub Repositories, you will have seen the blue Deploy to Azure button which is really nice as it directly takes you from GitHub over to Azure and links back to the GitHub Repository to start deploying the Resource Manager template without you having to download it and deploy it manually first.

The Azure team have a blog post over at https://azure.microsoft.com/en-gb/blog/deploy-to-azure-button-for-azure-websites-2/ which explains how you can use the Deploy to Azure button in your own repositories or even have it on your own website with a link back to a repository. It’s a nice touch, dead simple to implement by adding a line to the readme.md file and gives you that factory feel.

Enjoy.

Azure Winter Roundup 2016

Microsoft Azure LogoWith the weather starting to warm up and the sun out for longer, the worst of winter is behind us and we have spring to look forward to so what better time to wrap up 2016 with a recap of some of the new features to drop.

What’s New in General Availability

The all important GA milestone means these services are ready for prime time so here’s what’s new in the world of Azure since Al’s last update.

Managed Disks

Azure Virtual Machine Data DiskSince the dawn of infrastructure as a service in Microsoft Azure, Storage Account management has been one of the burdens that stayed with us into the cloud. Like managing LUN mapping and disk tier balancing from on-premises SAN arrays, we had to get the right number of Storage Accounts with the right capacity and number of IOPS in each.

Managed Disks now allows us to offload that burden to Microsoft and means we can provision IaaS VMs with the storage complexity of PaaS (read none). When we provision a machine and select the option to use Managed Disks, the platform with create everything behind the scenes.

Managed Disks are available in Premium and Standard storage flavours but the gotcha here is that for standard, you pay for the fully provisioned disk size, not the thin provisioned in use size as you do with traditional Storage Accounts so some customers may wish to continue using the conventional methods for storage.

For the full story on Managed Disks, read on at https://azure.microsoft.com/en-us/blog/announcing-general-availability-of-managed-disks-and-larger-scale-sets/.

Read the Full Post

Azure Updates Arrive En Masse

It seems that the folks in the various Azure teams at Microsoft have been really busy since the Build conference earlier this year getting products to various states of ship and it appears that this month is the mountain when it comes to releases and announcements. I got my usual Microsoft Azure new features and pricing announcements email last night and the number of new features here and features entering GA this month is astonishing.

Azure AD Connect

First and foremost, we have Azure AD Connect entering general availability. This is the replacement to all existing versions of DirSync and the Azure AD Sync tools. Whilst the directory synchronisation feature in itself isn’t anything special to talk about, for anyone still using DirSync, this is certainly a lot nicer to interact with and operate. Additionally, we have a number of the optional features available (a number of which are still classed as preview) to make synchronising your users between on-premise and Azure Active Directory that bit more rich. Sadly, there is still no Yammer integration with this version of Azure AD Connect so you still need to run the Yammer Directory Sync tool.

Azure Key Vault

This is a new service for Azure as opposed to an update to an existing service. Key Vault provides FIP 140-2 certified HSMs in the cloud. A HSM is a Hardware Security Module, a device used to manage security keys in encryption and it commonly found in Certificate Authorities and SQL Servers. I’ve worked with a number of PKI and SQL projects and none of them have ever had technical requirements for HSMs to be in-place. I suspect this has been added to Azure as a service by the request of one or more major companies sitting on the fence over public cloud right now because they need HSMs in order to meet some kind of regulatory or certification.

Azure Application Gateway

This is another new service and one which is really quite amazing in both it’s simplicity and the features that it brings. Azure Application Gateway is essentially an application request routing engine or reverse proxy as an Azure service. It allows you to publish Azure hosted, non-Azure publicly hosted or even on-premise applications to the world. It supports SSL offload to take the key processing workload away from your servers and it can be integrated with Azure Traffic Manager to provide geographic awareness for your applications.

Where I see this being especially useful is for companies currently hosting applications on-premise that are either publicly accessible or published to allow employees or partners access to a service. By publishing applications via Azure Application Gateway instead, companies can have their applications published but without the need to break holes in their own firewalls for those incoming connections.

The pricing on Azure Application Gateway seems very reasonable to me also which is going to make it extremely popular I think.

Azure SQL Data Warehouse

While all the previous service offerings have been general availability, this one is just a limited public preview however Azure SQL Data Warehouse was one of the brand new services announced earlier this year at Build so it’s great to see it moving along. I tend not to get involved so much with large SQL data warehousing work being more of an infrastructure specialist than a data specialist however I can see how if priced suitably, this is going to be a major service of interest for some businesses who want to leverage the cost benefits of the public cloud due to the fact that Data Warehousing can be extremely expensive to properly implement on-premise. This coupled with the fact that Azure SQL Data Warehouse is going to be tightly integrated with Power BI from Office 365 as well as Azure services like Machine Learning is going to make it very easy for customers to do more with their data.

Azure Web App SSL Cipher Suite Changes

Earlier this week, I got an email form the Azure Team to announce that as part of security improvements to the Azure App Service Web Apps (formerly known as Azure Websites) they will be making changes to the supported SSL cipher suites with the changes taking effect as of July 18th 2015. Additionally, Microsoft have provided a test site that is running the new suite of ciphers at https://testsslclient.trafficmanager.net.

I decided to take the test site for a drive over on the Qualys SSL Labs tool the SSL Server Tester. I’ve been using this site for a long time now as a means to test SSL enabled websites as it allows you to verify the whole configuration in one place including the certificate, protocols and cipher suites. I ran the test site through Qualys SSL Server Tester as well as this blog which is running on a current generation Azure Web App site to compare the results.

It’s important to understand the difference between a Web App and a Cloud Service before we get much further into this too. Some people will be looking at this post and thinking why don’t I just enable or disable the relevant protocols or ciphers within my application however herein lies the difference between the Web App and a Cloud Service. The Web App in web hosting terms is a website running on a multi-instance web server. A Cloud Service is a dedicated instance that you are responsible for so allow you more control but at the expense of additional complexity. With a Cloud Service, we can configure the ciphers and protocols as part of the service definition which runs in the form of a start-up script. With a Web App, we don’t have any of these levels of deep system level access so have to accept what we are given.

richardjgreen.net SSL Test Result

Running the test on this site, richardjgreen.net I get the same result I have achieved for some time, a overall score of Grade B. The grade in this instance is limited to B because the server is allowing weak RC4 ciphers as well as a Triple DES (3DES) cipher. Additionally, the current site does not support Forward Secrecy, sometimes seen at Perfect Forward Secrecy or PFS for short. The final message stating that the site only works with browsers supporting Server Name Indication or SNI for short is not a security failure. This is due to the fact that I have opted to only support SSL for SNI browsers on my Azure Web App instance.

testsslclient SSL Test Result

Running the test again against the test site, we can see that the result has improved to an overall score of Grade A. This is achieved because support for the weak RC4 ciphers has been dropped along with the Tripe DES (3DES) cipher. Additionally, the cipher suites have been re-ordered slightly and a new SHA384 3072 RSA key cipher has been added at the top of the cipher suite order meaning that this cipher should be the most preferable to use.

Looking at some of the details for the test, I also appears that the Web App instances are being built now on Windows Server 2012 R2 although how long this has may have been the case, I do not know? In the HTTP Server Signature for the SSL Server Tester results, richardjgreen.net shows Microsoft-IIS/8.0 whereas the Microsoft test site shows Microsoft-IIS/8.5.

I look forward to re-running the SSL Server Tester after the 18th July and seeing if the test result for my own site is as good as the test site shown.