torproject.org doesn't send an HSTS header

www.torproject.org does, but not torproject.org. You guys apparently tried to put torproject.org in the HSTS preload lists, but Firefox rejected it because it didn't send an HSTS header. http://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.errors

added component::internal services/tor sysadmin team priority::high resolution::fixed status::closed type::enhancement labels

www.torproject.org is the correct url for HSTS, not torproject.org

Trac:
Resolution: N/A to not a bug
Status: new to closed

Why not send HSTS headers for both? Since torproject.org is in the Chrome/Chromium HSTS preload list [1], Chrome/Chromium already behaves as if torproject.org were sending HSTS headers. There's no reason to have lower security levels for Firefox users.

http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

Trac:
Resolution: not a bug to N/A
Status: closed to reopened

Trac:
Type: defect to enhancement

It's a forced redirect to www.torproject.org. No one should hit torproject.org directly and expect anything.

HSTS on torproject.org in chromium shouldn't be there.

Trac:
Status: reopened to closed
Resolution: N/A to not a bug

No, redirecting from http://torproject.org to https://www.torproject.org does not prevent the class of attacks that HSTS is supposed to address. Ex:

1. User types in torproject.org. Their browser by default sends them to http://torproject.org.
2. An active MITM intercepts that HTTP request and injects malicious content.

You're in fact vulnerable to sslstrip (http://www.thoughtcrime.org/software/sslstrip/) if you don't enforce HSTS on torproject.org, simply because a significant percentage of users won't make sure that they go to WWW.torproject.org.

Trac:
Status: closed to reopened
Resolution: not a bug to N/A

Trac:
Cc: N/A to weasel

I'm sure tor knows about the vulnerabilities and such with non-ssl to ssl and HSTS and the like.

Why would a user hit http://torproject.org anyway?

cypherpunks:

Safer not to make those assumptions a priori. :)

Some ways that users hit http://torproject.org:

1. Links in posts like this one from a couple minutes ago: https://twitter.com/NOORALDAIN/status/415709547047567360. If you type torproject.org on Twitter, it gets converted to http://torproject.org
2. If you type in torproject.org in the browser's URL bar, the same thing happens.

Anyway, it should be easy for Tor sysadmins to check how many people hit http://torproject.org per day.

We no longer restrict sts headers to OK responses.

Trac:
Status: reopened to closed
Resolution: N/A to fixed

Replying to zyan:

Some ways that users hit http://torproject.org:

1. Links in posts like this one from a couple minutes ago: https://twitter.com/NOORALDAIN/status/415709547047567360. If you type torproject.org on Twitter, it gets converted to http://torproject.org

It appears twitter is dumb then. Users get what they deserve by following twitter links.

2. If you type in torproject.org in the browser's URL bar, the same thing happens.

I wager a bet where the vast majority go to google, type torproject.org, and are correctly pointed at https://www.torproject.org

closed