Closed Bug 643922 Opened 14 years ago Closed 9 years ago

Provide mechanism for sites to register as HSTS-always

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: briansmith, Unassigned)

References

Details

(Whiteboard: [parity-chrome])

We should provide a way for sites to register as being "always HSTS" and to enforce HSTS for the site even on the very first connection. If we extend HSTS to include a CA-lock mechanism (ala DANE) then this would also be a very effective prevention against certificate mis-issuance, until DNSSEC and DANE become well-enough supported to be really usable. Chrome has a hard-coded list for this (in its C++ source code) which currently includes PayPal and about a dozen other sites. My thinking here is that we would provide a very easy way for sites to get onto this list. For example, we could have a web service on our website, which connects to the server to read its HSTS header, and then adds it to a list, which Firefox would periodically check (either during Safe Browsing checks and/or during Firefox update checking). We may require the site to have some explicit indication (in its HSTS header or elsewhere) of "HSTS always and forever." To get *off* the list should require some secure authentication. One option would be to have a secret revocation keypair generated as part of the signup process described above. To keep the site of the list manageable, we might restrict it to EV sites only. (Note to future commentators: This idea is in a very early stage and isn't something we're definitely going to do, and if we do it it may work very differently from what I described above. I am just recording the idea at this point.)
This bug is older, but 760307 is where all the work has been done, so I'm marking this as the duplicate.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Bug 760307 is about the backend (the actual code implementing the HSTS preload list in platform), but this bug is about the front-end interface by which sites tell us that they belong on that list. We should find a better way for sites to register than "tell Google and wait for us to copy Google's list."
Status: RESOLVED → REOPENED
Depends on: preload-hsts
Resolution: DUPLICATE → ---
Now that https://hstspreload.appspot.com exists, do we still need to keep this open? Or is there still a chance of Mozilla running its own service?
Flags: needinfo?(dkeeler)
There's still a chance, but I don't think there's much use to keeping this bug around if we have no concrete plans to do so.
Status: REOPENED → RESOLVED
Closed: 12 years ago9 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.