Bug 628292 – Setup HTTP Strict Transport Security (connect directly to https)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 628292 - Setup HTTP Strict Transport Security (connect directly to https)


Summary:	Setup HTTP Strict Transport Security (connect directly to https)


Status:	RESOLVED FIXED

Product:	sysadmin
Classification:	Infrastructure
Component:	Certificates
Version:	unspecified
Hardware:	Other Windows

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME Sysadmins
QA Contact:	GNOME Sysadmins

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-08-30 08:38 UTC by Olav Vitters
Modified:	2011-01-03 21:09 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Olav Vitters 2010-08-30 08:38:30 UTC

See https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security

Using this header a supporting webbrowser after seeing this header on a https site (not http!) will automatically remember to connect only using https. Meaning: even when typing bugzilla.gnome.org in the address bar it'll try https, not http.

We should set this up on all https only sites.

I think that is:
 https://bugzilla.gnome.org/
 https://mango.gnome.org/

The following uses https, but only for a subdirectory:
 https://www.gnome.org/rt3/
Above MUST NOT have HTTP strict transport security!

Comment 1 Christer Edwards 2010-12-29 21:49:51 UTC

I have implemented this for the nagios installation on signal.gnome.org. I can configure the others soon (I don't have my git checkout presently).

Can anyone think of any more GNOME sites that require or should require SSL that this can be implemented on?

Comment 2 Jeff Schroeder 2010-12-29 22:23:52 UTC

edge.tomboy-online.org

Comment 3 Christer Edwards 2010-12-29 22:31:24 UTC

complete for:

nagios.gnome.org
bugzilla.gnome.org
mango.gnome.org
edge.tomboy-online.org

closing

Comment 4 Tobias Mueller 2011-01-03 16:37:42 UTC

www because of the RequestTracker
live because of Wiki credentials
mail because of passwords for the mailinglists and credentials for admin pages

Comment 5 Christer Edwards 2011-01-03 21:09:13 UTC

mail.g.o is already implemented but not required (Dec 30, 2010).

live.g.o is implemented but not required (Jan 03, 2011) with issues:

1) This page includes external resources which are not encrypted. 

(I believe it is this: <a href="http://live.gnome.org/GnomeWorldWide"><img src="http://www.gnome.org/~jdub/random/GnomeWorldWideSmall.jpg" alt=""></a>)

2) This certificate had to be retried using SSL 3.0. This typically means the server is using very old software and may have other security issues.

www.g.o not implemented

I don't think HTTPS Strict Transport Security is warranted for RT. SSL is currently implemented, but because it is a subfolder of the www.g.o domain I think HTTPS STS would force it for the whole subdomain, which is not needed and not configured.

Perhaps as part of our VM migration we can put RT on its own subdomain and properly implement HTTPS STS.