Closed Bug 1351363 (hsts-preload-everything) Opened 8 years ago Closed 4 years ago

[TRACKER] Add apex/root Mozilla domains to HSTS preload list

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: emorley, Assigned: April)

References

(Depends on 2 open bugs)

Details

Sending HSTS headers for most Mozilla properties (bug 1246672) is a great first step, however: 1) This doesn't protect the user until they make their first successful HTTPS request to a site. 2) It can lead to gaps in coverage if new apps forget to add the header, and so means an ongoing effort to monitor/chase up site owners, since `includeSubDomains` isn't being used on the top-level domain. Therefore it would be great if we could at some point in the future preload HSTS on all of the apex/root Mozilla domains (eg mozilla.org, mozilla.com, taskcluster.net, mozilla-releng.net, ...), which will protect all subdomains too. Note: Apart from rare exceptions (see below) only apex/root domains are allowed to request preloading, so unfortunately can't just partially enable preloading to fix #1 on its own. Steps for each domain: 1) Assess what subomains don't already support HTTPS and either: (a) Add HTTPS support, enable HTTP to HTTPS rediect and set HSTS header (b) Move them to another domain specifically for insecure sites 2) Check that the top-level domain redirects HTTP to HTTPS on the same host (if listening on port 80). 3) Serve an HSTS header on the apex/root domain that: - Has a max age of at least 18 weeks - Includes the `includeSubDomains` directive - Includes the `preload` directive 4) Submit the domain on https://hstspreload.org/ The following are already preloaded (see https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json): * bmoattachments.org * people-mozilla.org * bugzilla.mozilla.org (added manually, see bug 1237178 comment 2) * accounts.firefox.com (presumably added manually too) I'll file dependant bugs for each remaining root domain, since some will be achievable sooner than others.
Group: mozilla-employee-confidential
Depends on: 1306346
Bug 1306346 explains why non-SSL traffic must be permitted from modern HSTS-capable browsers to mozilla.org and mozilla.net endpoints in 2017.
Depends on: 1351415
Depends on: 1351416
Depends on: 1351445
Depends on: 1203453, 1310813
Assigning to April to get this out of security-alerts channel. April if this isn't something that you will be tracking, please feel free to assign it to the appropriate person who will.
Assignee: nobody → tweir
Status: NEW → ASSIGNED
Assignee: tweir → april
Depends on: 1351514
Depends on: 1351515
Depends on: 1351516
No longer depends on: 1306346
See Also: → 1362230
Alias: hsts-preload-everything
Depends on: 1551966
Depends on: 1237178
Depends on: 1193634
Depends on: 1533804

Unfortunately we don't have the resources currently to continue driving this effort in Security Assurance (previously Enterprise Information Security). I'll close this out though the child tickets remain open with the teams seeking to get HSTS enabled on their services and hopefully that will be completed through federated efforts across those various teams.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.