Closed
Bug 680238
Opened 14 years ago
Closed 8 years ago
Enable Strict Transport Security for v.mozilla.com
Categories
(Infrastructure & Operations Graveyard :: AVOps: Vidyo, task)
Infrastructure & Operations Graveyard
AVOps: Vidyo
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcoates, Assigned: rcarroll)
References
()
Details
(Whiteboard: [infrasec:tls][ws:enhancement])
Please enable strict transport security for v.mozilla.org by adding the following header to responses:
Strict-Transport-Security: max-age=2629744
This will ensure that it is not possible for a user to issue a HTTP request to the site or allow a MITM to get in the middle with an invalid cert.
More info on HSTS
https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security
STS is currently in use for bugzilla.mozilla.org with the max-age of 2629744. This is approximately 1 month (in seconds). The rule of thumb for max-age is to make it longer than the usual interval between visits
|
||
Updated•14 years ago
|
Assignee: server-ops → jthomas
|
|
||
Comment 1•14 years ago
|
||
CCing Guillermo Huerta.
I believe we do not have ssh access to the device. Could you please escalate this request to Vidyo?
|
Reporter | |
Comment 2•14 years ago
|
||
Do we need to make this change on the box itself? Can we add the header at another device such as Zeus?
|
|
||
Comment 3•14 years ago
|
||
this is not managed through zeus.
It is an appliance, we will have to take this up with Vidyo. and by "we" I meant Guillermo. :)
Assignee: jthomas → ghuerta
Summary: Enable Strict Transport Security for v.mozilla.org → Enable Strict Transport Security for v.mozilla.com
|
|
||
Comment 4•14 years ago
|
||
Guillermo, did you ever open up a case with Vidyo for this?
Zandr, are you handling vidyo stuff now?
|
|
||
Comment 5•14 years ago
|
||
I guess I am. :|
I'm not aware of a case open, but I'll open one as soon as I figure out how.
|
|
Reporter | |
Comment 6•14 years ago
|
||
Guillermo or Zandr, Have we opened this case with vidyo? The presence of the HSTS flag would have fully protected our users from this latest HTTP issue.
|
|
||
Comment 8•13 years ago
|
||
stupid bugzilla, gotta futz with some flags before it will let me reassign this bug.
Group: infra → mozilla-corporation-confidential
|
|
||
Updated•13 years ago
|
Assignee: ghuerta → nobody
Component: Server Operations → Vidyo
Product: mozilla.org → Air Mozilla
QA Contact: mrz → vidyo
Version: other → unspecified
|
||
Comment 9•13 years ago
|
||
Current plan is to take care of this when we can deploy it on our hardware either native or as a vm.
|
||
Comment 10•12 years ago
|
||
(In reply to Guillermo Huerta [:guillermo] from comment #9)
> Current plan is to take care of this when we can deploy it on our hardware
> either native or as a vm.
I note there is still not HSTS header; do we still plan on resolving this?
|
|
||
Comment 11•12 years ago
|
||
So both vms and our own hardware at not happening. I mentioned this to Vidyo support but they were afraid it might affect the Room systems as the rely on the redirect. I've sent a note to our sales engineer to see if they can get their engineering to confirm if that would be an issue.
|
|
||
Updated•12 years ago
|
Group: mozilla-corporation-confidential
Component: Vidyo → Vidyo Infrastructure
Product: Air Mozilla → Audio/Visual Infrastructure
|
|
||
Comment 12•10 years ago
|
||
Ping for a status update on v.mozilla.com?
Flags: needinfo?(richard)
QA Contact: rcarroll
|
|
Assignee | |
Comment 13•10 years ago
|
||
We are still replacing the old series room systems. We have Portland and Taipei left. I believe then we can begin to make the move. Portland will complete by end of July. Taipei we do not have a timeline yet.
|
|
||
Comment 14•10 years ago
|
||
Guillermo and Rob are the appropriate needinfo targets for all thing Vidyo.
Vidyo ≠ Air Mozilla
|
|
||
Updated•10 years ago
|
Flags: needinfo?(richard)
|
|
||
Comment 15•10 years ago
|
||
oops, my bad. Relying on 2011 bug assignments ;-]. Re-assigned to Rob.
"I mentioned this to Vidyo support but they were afraid it might affect the Room systems as the rely on the redirect."
Guillermo did you ever get a response about whether adding the HSTS header is actually an issue?
Assignee: nobody → rcarroll
Flags: needinfo?(ghuerta)
|
|
||
Comment 16•10 years ago
|
||
I did not get a direct response, but by the end of July we will no longer have any of the older room systems in production and we can make several back end changes. I'll raise this with Vidyo again.
Flags: needinfo?(ghuerta)
|
|
||
Comment 17•10 years ago
|
||
CAS-42605 opened with Vidyo.
|
||
Updated•10 years ago
|
Product: Audio/Visual Infrastructure → Infrastructure & Operations
|
|
||
Comment 18•8 years ago
|
||
Looks like this is fixed now? (Unless this was about a non-root URL)
$ curl -I https://v.mozilla.com
HTTP/1.1 302 Found
Date: Tue, 28 Mar 2017 14:28:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: /download.html?lang=en
Content-Language: en
Set-Cookie: JSESSIONID=F38ED69599BEF06359D1A887AA98ADBE; Path=/; Secure; HttpOnly;HttpOnly
Content-Type: text/html;charset=UTF-8
|
|
||
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•2 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•