Confirmed users
308
edits
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List: Difference between revisions
Jump to navigation
Jump to search
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List (view source)
Revision as of 20:01, 30 September 2016
, 30 September 2016remove unnecessary header, add note that preload directive is ignored
(initial description of the preload list, how it gets updated, etc.) |
(remove unnecessary header, add note that preload directive is ignored) |
||
| Line 1: | Line 1: | ||
Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-aurora] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr45/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr45]. | Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-aurora] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr45/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr45]. | ||
Each Saturday, an automated job attempts to update the preload list in mozilla-central, mozilla-aurora, and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list. The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job is [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ here] (search for "periodicupdate"). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.errors this file] may help in determining the underlying error. | Each Saturday, an automated job attempts to update the preload list in mozilla-central, mozilla-aurora, and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job is [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ here] (search for "periodicupdate"). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.errors this file] may help in determining the underlying error. | ||
To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400. | To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400. | ||
The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated. | The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated. | ||