Ehsan Akhgari
unread,Jan 31, 2017, 1:27:55 PM1/31/17You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Gregory Szorc, dev-version-control, release-engineering, dev-platform, Firefox Dev, dev-builds, mozill...@lists.mozilla.org
I have two extra suggestions for added security benefits:
1. In order to ensure that clients that support CSP will never attempt
to contact the HTTP version of the site for fetching any subresources
that may still point to http:, please make sure to serve the
|Content-Security-Policy: upgrade-insecure-requests| header from HTTP.
<
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests>
2. In order to ensure that clients that support HSTS will never attempt
to contact the HTTP version of the site at all (once they have visited
the https site once), please make sure to serve the
|Strict-Transport-Security: max-age=NNN| header from the HTTPS version
of the site. This will also improve performance for those clients as a
side benefit by eliminating one roundtrip to the server to get the 301
redirect.
<
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>
Thanks,
Ehsan
On 2017-01-26 5:17 PM, Gregory Szorc wrote:
> It may be surprising, but
hg.mozilla.org <
http://hg.mozilla.org> is
> still accepting plain text connections via
http://hg.mozilla.org/ and
> isn't redirecting them to
https://hg.mozilla.org/.
>
> On February 1 likely around 0800 PST, all requests to
>
http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect
> to
https://hg.mozilla.org/.
>
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
>
> Please note that a lot of 3rd parties query random content on
>
hg.mozilla.org <
http://hg.mozilla.org>. For example, Curl's widespread
>
mk-ca-bundle.pl <
http://mk-ca-bundle.pl> script for bootstrapping the
> trusted CA bundle queried
http://hg.mozilla.org/ until recently [1]. So
> it is likely this change may break random things outside of Mozilla.
> Again, anything not using
https://hg.mozilla.org/ should probably be
> treated as a security vulnerability and fixed ASAP.
>
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see [2]),
hg.mozilla.org
> <
http://hg.mozilla.org> still supports [marginally secure compared to
> TLS 1.1+] TLS 1.0 connections and will continue to do so for the
> foreseeable future.
>
> This change is tracked in bug 450645. Please subscribe to stay in the
> loop regarding future changes, such as removing support for TLS 1.0 and
> not accepting plain text
http://hg.mozilla.org/ connections at all.
>
> Please send comments to bug 450645 or reply to
>
dev-versi...@lists.mozilla.org
> <mailto:
dev-versi...@lists.mozilla.org>.
>
> [1]
>
https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790