bmoattachments.org doesn't set the strict-transport-security. STS was disabled on the attachment subdomains as a result of bug 607138; there's talk there about this being problematic for sites that host attachments on different domains (which we recently started doing), but it looks like a followup bug was never filed. i suspect we can't do this without includeSubDomains, and as a result generating at least one entry in the permissions db for each visited attachment, because users never visit bmoattachments.org directly. reed - i'm curious about your thoughts here.
Sorry for the delay. Busy week, so just catching up on other stuff. First of all, I've submitted a request to the Chromium folks to add bmoattachments.org to the HSTS preload list. Sending HSTS for every subdomain is likely to generate lots of entries for folks who open lots of attachments, to be fair, though I also think a bug should be filed to see if something in the spec could be done to improve that (rare but possible) situation. For now, let's workaround it using a hack that Dropbox came up with. 1. Configure bmoattachments.org to send a valid HSTS header that includes includeSubDomains with a long max-age. 2. On all bmo pages, include a <img> similar to <img src="https://dropbox.com/hstsping" style="display:none;" /> that will cause the browser to load https://bmoattachments.org and see the HSTS header. Besides that, we can also (optionally) send HSTS header for *.bmoattachments.org with a low max-age (so entries expire quickly off the list) as an extra protection against short-term attacks (iif the browser doesn't have bmoattachments.org HSTS preloaded and never visited https://bmoattachments.org to see the HSTS header).
awesome; thanks again reed. i've filed bug 1238523 to get the infra side of bmoattachments.org working. we'll track adding the <img> to our footer here once that works, as well as the short-lived sts header.
Reed, that sounds like the perfect plan. Couldn't have crafted it better myself. :)
Thanks to everyone for all their hard work on this!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Oh whoops, I just realized that we haven't yet set HSTS on the subdomains. My bad; reopening!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
So I think we still need to implement: 1) the invisible image to pull from https://bmoattachments.org/ to set HSTS for browsers that don't have bmoattachments in the preload list 2) (optionally) set a short HSTS length on the subdomain BTW, I did take a look and we're in the preload list, so that's great! https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json#5836
Being in chrome's list is no guarantee: we run our own checks and reject a bunch (see the .errors file). In this case, however, we do seem to have it in Firefox: https://dxr.mozilla.org/mozilla-central/rev/af7c0cb0798f5425d5d344cbaf0ac0ecb1a72a86/security/manager/ssl/nsSTSPreloadList.inc#815
You need to log in before you can comment on or make changes to this bug.