Closed
Bug 660904
Opened 14 years ago
Closed 13 years ago
Send HSTS header to logged-in users
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
2013Q1
People
(Reporter: jruderman, Assigned: rrosario)
Details
(Whiteboard: u=user c=security p=0 s=2013.4)
I keep ending up at http pages such as http://support.mozilla.com/en-US/kb/High%20memory%20usage and being unable to edit them as a result. This is extremely confusing.
(I guess this means the fix for bug 483026 isn't working for me...)
SUMO should send HSTS headers to logged-in users to ensure they don't accidentally connect over http.
|
||
Comment 1•14 years ago
|
||
Also, we shouldn't link folks to http:// from the https:// side. Are we doing that anywhere?
|
||
Comment 2•14 years ago
|
||
HSTS is not appropriate for this situation: just because a user logged in once should not keep them on HTTPS forever on SUMO. We've implemented bug 620910 but it only shipped yesterday afternoon.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
|
||
Comment 3•14 years ago
|
||
(In reply to comment #2)
> HSTS is not appropriate for this situation
I don't understand why it's inappropriate. HSTS ensures users don't get login credentials stolen, and the users who have logged in once are precisely the ones who are likely to do it again. Server-side redirects (bug 620910) are helpful, but only if the network is trustworthy (which is precisely the opposite of what HSTS defends against: the case when attackers use firesheep or other credential-stealing MITM attacks).
|
Reporter | |
Comment 4•14 years ago
|
||
Server-side redirects are also slower.
|
|
||
Comment 5•14 years ago
|
||
As Erik said, we shouldn't be sending people to HTTP from HTTPS. This is just to catch weird cases like opening a link from someone else. There's no reason why someone who has logged in once should always come back to HTTPS, so at most we'd want to set HSTS on login and for a very short window, maybe a day.
|
|
Reporter | |
Comment 6•14 years ago
|
||
I found myself at http URLs after doing Google searches and navigating using the awesomebar. I don't think those are "weird cases".
|
|
||
Comment 7•14 years ago
|
||
And you were currently logged in if you switched it to HTTPS?
|
|
Reporter | |
Comment 8•14 years ago
|
||
I don't understand your question.
Things seem better now that bug 620910 is fixed. The brokenness is gone, leaving only the minor speed and security problems.
|
|
||
Comment 9•14 years ago
|
||
Given that we're now not expiring sessions at browser close, this makes more sense. It depends on commonware issue #5: https://github.com/jsocol/commonware/issues/5.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Target Milestone: --- → 2011Q3
|
Assignee | |
Updated•14 years ago
|
Target Milestone: 2011Q3 → 2011Q4
|
||
Comment 11•13 years ago
|
||
Marking this as a blocker for the next-SuMO (kitsune) security review. Why send HSTS to only logged-in users?
|
|
||
Comment 12•13 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #11)
> Marking this as a blocker for the next-SuMO (kitsune) security review. Why
> send HSTS to only logged-in users?
Because almost all of our unauthenticated traffic is HTTP, and that is tightly coupled to our performance/caching strategy.
For practical purposes, logged-in (or logging in) <=> on HTTPS.
|
|
Assignee | |
Comment 13•13 years ago
|
||
I did this as part of Bug 840966
Assignee: nobody → rrosario
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → FIXED
Whiteboard: u=user c=security p=0 s=2013.4
Target Milestone: --- → 2013Q1
You need to log in
before you can comment on or make changes to this bug.
Description
•