Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10424 closed enhancement (fixed)

torproject.org doesn't send an HSTS header

Reported by: zyan Owned by:
Priority: High Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

www.torproject.org does, but not torproject.org. You guys apparently tried to put torproject.org in the HSTS preload lists, but Firefox rejected it because it didn't send an HSTS header. http://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.errors

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by phobos

Resolution: not a bug
Status: newclosed

www.torproject.org is the correct url for HSTS, not torproject.org

comment:2 Changed 6 years ago by zyan

Resolution: not a bug
Status: closedreopened

Why not send HSTS headers for both? Since torproject.org is in the Chrome/Chromium HSTS preload list [1], Chrome/Chromium already behaves as if torproject.org were sending HSTS headers. There's no reason to have lower security levels for Firefox users.

http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

comment:3 Changed 6 years ago by zyan

Type: defectenhancement

comment:4 Changed 6 years ago by phobos

Resolution: not a bug
Status: reopenedclosed

It's a forced redirect to www.torproject.org. No one should hit torproject.org directly and expect anything.

HSTS on torproject.org in chromium shouldn't be there.

Last edited 6 years ago by phobos (previous) (diff)

comment:5 Changed 6 years ago by zyan

Resolution: not a bug
Status: closedreopened

No, redirecting from http://torproject.org to https://www.torproject.org does not prevent the class of attacks that HSTS is supposed to address. Ex:

  1. User types in torproject.org. Their browser by default sends them to http://torproject.org.
  2. An active MITM intercepts that HTTP request and injects malicious content.

You're in fact vulnerable to sslstrip (http://www.thoughtcrime.org/software/sslstrip/) if you don't enforce HSTS on torproject.org, simply because a significant percentage of users won't make sure that they go to WWW.torproject.org.

comment:6 Changed 6 years ago by arma

Cc: weasel added

comment:7 Changed 6 years ago by cypherpunks

I'm sure tor knows about the vulnerabilities and such with non-ssl to ssl and HSTS and the like.

Why would a user hit http://torproject.org anyway?

comment:8 Changed 6 years ago by zyan

cypherpunks:

Safer not to make those assumptions a priori. :)

Some ways that users hit http://torproject.org:

  1. Links in posts like this one from a couple minutes ago: https://twitter.com/NOORALDAIN/status/415709547047567360. If you type torproject.org on Twitter, it gets converted to http://torproject.org
  2. If you type in torproject.org in the browser's URL bar, the same thing happens.

Anyway, it should be easy for Tor sysadmins to check how many people hit http://torproject.org per day.

comment:9 Changed 6 years ago by weasel

Resolution: fixed
Status: reopenedclosed

We no longer restrict sts headers to OK responses.

comment:10 in reply to:  8 Changed 6 years ago by cypherpunks

Replying to zyan:

Some ways that users hit http://torproject.org:

  1. Links in posts like this one from a couple minutes ago: https://twitter.com/NOORALDAIN/status/415709547047567360. If you type torproject.org on Twitter, it gets converted to http://torproject.org

It appears twitter is dumb then. Users get what they deserve by following twitter links.

  1. If you type in torproject.org in the browser's URL bar, the same thing happens.

I wager a bet where the vast majority go to google, type torproject.org, and are correctly pointed at https://www.torproject.org

Note: See TracTickets for help on using tickets.