Closed Bug 1351516 Opened 7 years ago Closed 3 years ago

Add mozilla.org to the HSTS preload list

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: emorley, Assigned: April)

References

(Depends on 1 open bug)

Details

Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves.

Rough steps:
1) Identify mozilla.org subdomains that don't yet support HTTPS and file dependant bugs to fix them.
2) Ensure the apex/root domain (https://mozilla.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/
3) Submit the domain using that same tool


For reference:

$ curl -IL http://mozilla.org/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Wed, 29 Mar 2017 01:07:20 GMT
Location: https://www.mozilla.org/
Connection: Keep-Alive
Content-Length: 0

HTTP/1.1 301 MOVED PERMANENTLY
Date: Wed, 29 Mar 2017 01:07:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Cache-Control: max-age=600
Content-Security-Policy: <SNIP>
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Expires: Wed, 29 Mar 2017 01:09:15 GMT
Location: https://www.mozilla.org/en-US/
strict-transport-security: max-age=31536000
Vary: Accept-Language
X-Backend-Server: 1d167a8ed1eb.bedrock-prod.eu-west.moz.works
x-content-type-options: nosniff
X-Frame-Options: DENY
X-Robots-Tag: noodp
x-xss-protection: 1; mode=block
CF-Cache-Status: HIT
Server: cloudflare-nginx
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4548]
Depends on: 1306346
Depends on: 1359511
Ed,

This is a large, Mozilla wide project that needs to be co-ordinated across multiple teams. I'm not really sure we're the ones to own the overall move for this domain over to preloading, therefore this isn't actionable by us at this time. 

Marking WONTFIX for now, we can re-visit when every sub-domain of mozilla.org has been moved under https and have HSTS headers.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Let's leave this open as a tracker (similar to bug 1351363 and friends), but move it to another component instead :-)
Assignee: server-ops-webops → nobody
Status: RESOLVED → REOPENED
Component: WebOps: Other → General
Product: Infrastructure & Operations → Enterprise Information Security
QA Contact: smani
Resolution: WONTFIX → ---
Status: REOPENED → NEW
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4548]
Assignee: nobody → april
Status: NEW → ASSIGNED
The product delivery sites will certainly be the largest hurdle here, but I will attempt to go through the list of DNS entries and see if I can find any plain HTTP sites left and open bugs with them.
Depends on: tls-everything

Unfortunately we don't have the resources in Security Assurance (previously Enterprise Information Security) to continue driving this currently. This has been blocked on Bug 1306346 for the past 3 years. Hopefully if/when that is resolved someone can restart this effort for mozilla.org

Status: ASSIGNED → RESOLVED
Closed: 7 years ago3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.