A customer has reported a finding from their vulnerability assessment (VA) scan against the Symantec VIP machine (Windows). The scan identified that the web server on the VIP EG is using plain-text form-based authentication. The details from the VA suggest that credentials may be posted over an unencrypted channel, which is a security concern.

Product: Symantec VIP 
Component: Enterprise Gateway
Version: 9.11.1
Platform: Windows Server

Please find the following analysis on the reported issue.

Enforcing Secure Connections with HTTP Strict Transport Security (HSTS)

To ensure the highest level of security for our Identity Provider (IdP) portals—the Self-Service Portal (SSP) and MyVIP—we leverage the HTTP Strict Transport Security (HSTS) mechanism when they are configured to use HTTPS. This security feature is designed to protect against protocol downgrade attacks and cookie hijacking. How It Works

1.The First Secure Connection: When a user's browser successfully connects to the SSP or MyVIP portal over HTTPS for the first time, the server sends back the Strict-Transport-Security response header.

2.The Browser Remembers: The browser receives this header and records a policy for that domain. This policy instructs the browser to communicate exclusively over a secure HTTPS connection for all future requests to that portal for a specified duration.

3.Future Requests are Secured: For any subsequent visit, if the user attempts to connect via an insecure http:// link, the browser automatically upgrades the request to https:// before it is sent over the network.

The Security Outcome By enforcing this policy, the initial, vulnerable, and unencrypted HTTP request is never made. This completely eliminates the opportunity for an attacker on the network to perform an SSL stripping attack, where they could intercept the initial request and downgrade the connection to plain HTTP to steal credentials.