Closed
Bug 1351515
Opened 8 years ago
Closed 8 years ago
Add mozilla.com to the HSTS preload list
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: emorley, Unassigned)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4547])
Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves.
Rough steps:
1) Identify mozilla.com subdomains that don't yet support HTTPS and file dependant bugs to fix them.
2) Ensure the apex/root domain (https://mozilla.com/) serves an HSTS header that meets the requirements on https://hstspreload.org/
3) Submit the domain using that same tool
For reference:
$ curl -IL http://mozilla.com/
HTTP/1.1 301 Moved Permanently
Server: Apache
X-Backend-Server: pp-web01
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 29 Mar 2017 00:43:23 GMT
Location: https://mozilla.com/
Keep-Alive: timeout=20, max=986
Accept-Ranges: bytes
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 0
HTTP/1.1 302 Moved Temporarily
X-Backend-Server: TS
Cache-Control: max-age=3600
Content-Type: text/plain
Strict-Transport-Security: max-age=31536000
Date: Wed, 29 Mar 2017 01:00:16 GMT
Location: https://www.mozilla.com/
Connection: Keep-Alive
Content-Length: 0
...
mozilla.com cannot be preloaded easily as it is the apex domain of all datacenters and internal services we operate in IT. We will not be able to work on this in 2017. You may want to speak to Corey Shields about prioritizing this work if it's essential, as his team can focus on DNS work of this nature.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #1)
> mozilla.com cannot be preloaded easily as it is the apex domain of all
> datacenters and internal services we operate in IT.
Ah good point.
That said, I wonder if we can ask for some of the high-value mozilla.com subdomains (eg https://sso.mozilla.com, https://irccloud.mozilla.com since they request LDAP credentials) to be manually added to the preload list so we can at least protect first connections to those? (This is not normally allowed for subdomains, but exceptions have been made, eg bugzilla.mozilla.org)
Or else failing that, perhaps they could be moved to their own domain or to mozilla.org instead (though bug 1351516 likely far out too)?
Comment 3•8 years ago
|
||
We have essentially no chance of getting things like sso.mozilla.com added to the preload list, because it would otherwise open the preload list up to a million requests from different domains for the same thing, which isn't technically feasible. BMO was a very special exception, specifically because of the extremely high value information it contains.
In general, simply having HSTS and visiting the domain once from a safe location should be enough for sumdomains like sso and irccloud.
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•