HSTS includeSubDomains not properly enforced
Categories
(Core :: Security: PSM, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox88 | --- | wontfix |
firefox89 | --- | wontfix |
firefox90 | --- | verified |
People
(Reporter: pege, Assigned: timhuang)
References
Details
(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main90+])
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
As part of the response, Firefox is informed about a HSTS policy that includes subdomains:
Strict-Transport-Security: max-age=43200;includeSubDomains
As result of the HSTS policy received early, the request is made using https but a "Accept the Risk and Continue" is still shown.
Also, clicking on SSL_ERROR_BAD_CERT_DOMAIN reveals that Firefox doesn't think there is a HSTS policy in effect:
https://abc.tocco.ch/status-tocco
Unable to communicate securely with peer: requested domain name does not match the serverβs certificate.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Actual results:
"Accept the Risk and Continue" button is shown.
Expected results:
As intended by the Strict-Transport-Security header, there should be no way to add an exception. I also checked Firefox 78 ESR and there the behavior was still correct.
Comment 1•3 years ago
|
||
I'm not entirely sure which component this should go in, but hopefully this is closer to the right one.
Comment 2•3 years ago
|
||
:baku, I don't think network partitioning is behaving correctly with respect to HSTS. Can you have a look?
Comment 3•3 years ago
|
||
It looks like we're partially performing HSTS -- I do get from http: -> https, it's just carrying over the "no exceptions allowed" part.
Updated•3 years ago
|
Reporter | ||
Comment 4•3 years ago
|
||
I had a look at how Firefox for Android (87 and nightly) handles this. Turns out there an "Accept the Risk and Continue" button is shown even for domains on the HSTS Preload list. For instance, you can go to http://may.arbitrary.ch, which doesn't have a valid certificate for that name, and you'll get upgraded to https but you'll still see that Continue button.
Assignee | ||
Comment 6•3 years ago
|
||
I've tested this with Network Partitioning disabled, and the issue is still there.
And subdomains will use the same partitionKey because we are using eTLD+1 as the key. So, theoretically, the HSTS cache is not partitioned between tocco.ch
and abc.tocco.ch
.
Reporter | ||
Comment 7•3 years ago
|
||
:timhuang, are you sure about this not being caused by network partitioning? When I flip the privacy.partition.network_state preference to false, the issue disappears for me and I'm told again I can't visit the page because of the HSTS policy. After flipping the switch, you have to make sure you visit https://tocco.ch again first to pick up the HSTS information and then head to https://abc.tocco.ch.
Assignee | ||
Comment 8•3 years ago
|
||
Ah, I see, there will still be an error page but cannot do "Accept the Risk and Continue" there. Sorry that I didn't understand the issue correctly. I will dig into this. Thanks.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
The root cause is that we use the OAs without the partitionKey to check the HSTS state when loading the cert error page. So, the error page will have a wrong state about HSTS. However, it doesn't affect HSTS in the network layer, just only the error page.
Assignee | ||
Comment 10•3 years ago
|
||
Comment 12•3 years ago
|
||
Part 1: Use the OAs with the partitionKey to get HSTS state in nsDocShell. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/776d2e2ecd043cdc269753bc75ae06bd6a938e14
Part 2: Add a test to verify HSTS parameter includeSubDomains works correctly when network partitioning is enabled. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/45c659bd4922fa3b4a7b602c6214f16092a31284
https://hg.mozilla.org/mozilla-central/rev/776d2e2ecd04
https://hg.mozilla.org/mozilla-central/rev/45c659bd4922
Updated•3 years ago
|
Comment 13•3 years ago
|
||
This issue is Verified as fixed in our latest Nightly build 90.0a1 (2021-05-24) On Windows, Mac and Ubuntu.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 14•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Description
•