[lift] Missing Strict-Transport Security Headers on CDN

UNCONFIRMED
Assigned to

Status

addons.mozilla.org
Security
UNCONFIRMED
6 months ago
2 months ago

People

(Reporter: Adam Baldwin, Assigned: wezhou)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 months ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Steps to reproduce:

## Overview:
The AMO CDN at addons.cdn.mozilla.net does not currently set the Strict-Transport-Security ( STS ) header. The STS header tells a users browser to enforce SSL connections for a specified amount of time. 

## Examples:
The typical use-case looks something like this:
    1. User connects to the server via unencrypted HTTP connection.
    2. Server responds with a redirect to HTTPS://
    3. SSL Negotiation takes place, and the connection is now encrypted
    4. The Server Sets the STS header with a header similar to `Strict-Transport-Security: max-age=31536000; includeSubDomains`
    5. User does whatever they intended to do on the site, and logs off.
Here is where the STS header provides protection from Man-in-the-middle ( MITM ) attacks such as SSLStrip:
    1. User initiates a connection to the site from a public wifi connection.
    2. Attacker has poisoned the cache of the wifi connection, and is able to initiate a MITM attack on the user, stripping the 'S' off of all HTTPS:// links and forcing the user to browse over an unencrypted connection.
    3. Browser checks it's local Cache for the STS header that was set earlier, finds it to be present, and refuses to connect over an unencrypted connection.

## Recommendations:
There are very few reasons for a user to browse over an unencrypted connection. Encryption creates a extremely minimal amount of CPU overhead, but gives tremendous benefit to your users. For this reason, we recommend setting the STS header as something similar to the following: 
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
The settings mentioned above specify that the header will expire in 12 months, and will be enforced on all subdomains of the application as well.


Finding by Jon Lamendola

Updated

6 months ago
Blocks: 1189001
Summary: Missing Strict-Transport Security Headers on CDN → [lift] Missing Strict-Transport Security Headers on CDN
Assignee: nobody → wezhou
Wei when you have a moment could you take a look at this one please?
Flags: needinfo?(wezhou)
(Assignee)

Comment 2

2 months ago
Ok, I'll schedule this for after Austin if that's ok.
Flags: needinfo?(wezhou)
You need to log in before you can comment on or make changes to this bug.