Closed
Bug 1289421
Opened 8 years ago
Closed 8 years ago
Prepare Treeherder's HSTS headers for future preloading of *.mozilla.org
Categories
(Tree Management :: Treeherder: Infrastructure, defect, P3)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1315818
People
(Reporter: emorley, Unassigned)
References
(Blocks 1 open bug)
Details
We should submit Treeherder to the preload list, so that the first connection made is protected, not just the 2nd onwards.
Requirements we've yet to meet:
1) Include the `includeSubDomains` directive in the HSTS header
-> We currently don't due to the development environment using "local.treeherder.mozilla.org" - we should change that (will file a dep bug, since a bit more involved).
2) Include the `preload` directive in the HSTS header
-> Django doesn't natively support setting this, but I've opened a PR to add support: https://github.com/django/django/pull/6974
-> Or we could add it manually ourselves/using an addon. (Will wait to see if we can get the PR merged/backported before deciding)
After that we can submit to:
https://hstspreload.appspot.com/
This will also give us another 5 points on the HTTP Observatory tool:
https://github.com/mozilla/http-observatory/blob/79947b2bca565eabdcfcf7d37ac7f1afae94be41/httpobs/scanner/grader/grade.py#L187-L190
|
Reporter | |
Comment 1•8 years ago
|
||
Huh, so apparently only top domains are supposed to be able to request addition to the preload list, however bugzilla.mozilla.org is on there:
(warning: loading this page hangs the browser for a bit)
https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
Byron, do you know if this was just a special-case?
Flags: needinfo?(glob)
(In reply to Ed Morley [:emorley] from comment #1)
> Huh, so apparently only top domains are supposed to be able to request
> addition to the preload list, however bugzilla.mozilla.org is on there:
> (warning: loading this page hangs the browser for a bit)
> https://cs.chromium.org/chromium/src/net/http/
> transport_security_state_static.json
>
> Byron, do you know if this was just a special-case?
(Reed Loden [:reed] (use needinfo?) from bug 1237178 comment #2)
> It's on the preload list. I had it added myself back in 2013. :)
(April King [:April] from bug 1237178 comment #4)
> Looks like bmo was added manually to the list some time ago, before the
> preload thing even existed.
april may be able to get treeherder added to the list; redirecting needinfo to her.
Flags: needinfo?(glob) → needinfo?(april)
|
||
Comment 3•8 years ago
|
||
Err, thought I had responded to this. It's exceptionally hard to get subdomains submitted to the preload list; it basically requires me to use a lot of social capital and they only allow exceptions for very high risk sites, as bugzilla is.
I would like to get *.mozilla.org preloaded at some point, but we still have hundreds (thousands?) of domains to go before we can do that. :(
Flags: needinfo?(april)
|
|
Reporter | |
Comment 4•8 years ago
|
||
Ah right, makes sense.
On our side we can still make sure the `subdomains` and `preload` directives are included in our existing HSTS header, to make it clearer that we're good to go, when a future effort to preload *.mozilla.org begins; morphing bug accordingly.
Summary: Submit Treeherder to the HSTS preload list → Prepare Treeherder for future HSTS preloading
|
|
Reporter | |
Updated•8 years ago
|
Summary: Prepare Treeherder for future HSTS preloading → Prepare Treeherder's HSTS headers for future preloading of *.mozilla.org
|
|
||
Comment 5•8 years ago
|
||
I don't know the process, but I know we manually pin a number of Firefox specific services inside Firefox:
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h
And those do get counted by the HTTP Observatory. :)
I observed that the HSTS headers are being sent from Treeherder now, which is sufficient to indicate it as "prepared for future preloading" from a general standpoint. This bug might be ready to RESO FIXE unless y'all have further steps you wish to take here.
|
|
Reporter | |
Comment 7•8 years ago
|
||
This bug isn't about having the HSTS header set, but preloading HSTS itself. (Treeherder has had HSTS enabled since March, via bug 1258700.)
However it's not possible to preload only subdomains (other than for special exceptions, see comment 3) so really this bug is about making sure Treeherder is at least ready for a future world (probably a fair way out) where the top level mozilla.org domain sets both the `includeSubdomains` and `preload` attributes. Currently the readiness changes required are:
1) Change our local Vagrant development environment to not use a subdomain of the real treeherder domain (currently it uses `local.treeherder.mozilla.org` but doesn't use HTTPS due to the hassle of self-signed certs).
2) (Presumably optionally, since https://hstspreload.appspot.com/ doesn't list these as requirements for the subdomains, but only the parent) Set the `includeSubdomains` and `preload` attributes.
Even if #2 is unnecessary for the top preloading of the top-level mozilla.org domain, we may do so anyway, since the HTTP observatory still penalises us for not having them iirc.
|
|
||
Comment 9•8 years ago
|
||
Note that as far as #2 is concerned, the HTTP Observatory will not penalize a subdomain for not having HSTS set if the parent domain is preloaded. Of course, until that does happen -- probably several years from now at the earliest -- you'll want to set HSTS on the subdomains. You can set includeSubDomains if you want (it only applies to subdomains of that subdomain), but preload isn't necessary, since it is only applicable on the root domain.
|
|
Reporter | |
Comment 10•8 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #7)
> 1) Change our local Vagrant development environment to not use a subdomain
> of the real treeherder domain
Fixed in bug 1315818 :-)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•