Closed
Bug 1351363
(hsts-preload-everything)
Opened 8 years ago
Closed 4 years ago
[TRACKER] Add apex/root Mozilla domains to HSTS preload list
Categories
(Security Assurance :: General, task)
Security Assurance
General
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: emorley, Assigned: April)
References
(Depends on 2 open bugs)
Details
Sending HSTS headers for most Mozilla properties (bug 1246672) is a great first step, however:
1) This doesn't protect the user until they make their first successful HTTPS request to a site.
2) It can lead to gaps in coverage if new apps forget to add the header, and so means an ongoing effort to monitor/chase up site owners, since `includeSubDomains` isn't being used on the top-level domain.
Therefore it would be great if we could at some point in the future preload HSTS on all of the apex/root Mozilla domains (eg mozilla.org, mozilla.com, taskcluster.net, mozilla-releng.net, ...), which will protect all subdomains too.
Note: Apart from rare exceptions (see below) only apex/root domains are allowed to request preloading, so unfortunately can't just partially enable preloading to fix #1 on its own.
Steps for each domain:
1) Assess what subomains don't already support HTTPS and either:
(a) Add HTTPS support, enable HTTP to HTTPS rediect and set HSTS header
(b) Move them to another domain specifically for insecure sites
2) Check that the top-level domain redirects HTTP to HTTPS on the same host (if listening on port 80).
3) Serve an HSTS header on the apex/root domain that:
- Has a max age of at least 18 weeks
- Includes the `includeSubDomains` directive
- Includes the `preload` directive
4) Submit the domain on https://hstspreload.org/
The following are already preloaded (see https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json):
* bmoattachments.org
* people-mozilla.org
* bugzilla.mozilla.org (added manually, see bug 1237178 comment 2)
* accounts.firefox.com (presumably added manually too)
I'll file dependant bugs for each remaining root domain, since some will be achievable sooner than others.
Bug 1306346 explains why non-SSL traffic must be permitted from modern HSTS-capable browsers to mozilla.org and mozilla.net endpoints in 2017.
Reporter | ||
Updated•8 years ago
|
Comment 2•8 years ago
|
||
Assigning to April to get this out of security-alerts channel.
April if this isn't something that you will be tracking, please feel free to assign it to the appropriate person who will.
Updated•8 years ago
|
Assignee: nobody → tweir
Status: NEW → ASSIGNED
Updated•8 years ago
|
Assignee: tweir → april
Comment 3•4 years ago
|
||
Unfortunately we don't have the resources currently to continue driving this effort in Security Assurance (previously Enterprise Information Security). I'll close this out though the child tickets remain open with the teams seeking to get HSTS enabled on their services and hopefully that will be completed through federated efforts across those various teams.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•