SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List: Difference between revisions

Jump to navigation Jump to search

SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List (view source)

Revision as of 23:54, 16 January 2018

230 bytes removed ,  16 January 2018
aurora doesn't exist any more
(s/esr45/esr52/)
(aurora doesn't exist any more)
Line 1: Line 1:
Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-aurora] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr52/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr52].
Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr52/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr52].


Every day, an automated job attempts to update the preload list in mozilla-central, mozilla-aurora, and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.errors this file] may help in determining the underlying error.
Every day, an automated job attempts to update the preload list in mozilla-central and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.errors this file] may help in determining the underlying error.


The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ mozilla-central] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64/ mozilla-aurora] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-esr52-linux64/ mozilla-esr52] (search for "periodicupdate").
The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ mozilla-central] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-esr52-linux64/ mozilla-esr52] (search for "periodicupdate").


To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400.
To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400.


The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated.
The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated.
Dkeeler
Confirmed users
307

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1186914"

Navigation menu