t oo created AIRFLOW-4180:
-----------------------------
Summary: [security] Lack of HTTP Strict Transport Security (HSTS)
Policy
Key: AIRFLOW-4180
URL: https://issues.apache.org/jira/browse/AIRFLOW-4180
Project: Apache Airflow
Issue Type: Bug
Components: security, ui
Reporter: t oo
The Airflow application does not have the HSTS header set. HTTP Strict
Transport Security (HSTS) allows websites to declare themselves accessible only
over HTTPS and was designed to prevent hackers from forcing user connections
over HTTP or abusing mistakes in HTTPS implementations to compromise content
integrity. When the browser connects over HTTPS to a website that supports
HSTS, the site's strict transport security policy is saved and remembered for a
specified amount of time. From that point forward, as long as the cached policy
doesn't expire, the browser will refuse to initiate insecure connections with
that website. This is the standard mechanism of HSTS:
"Strict-Transport-Security: max-age=expiretime". The time, in seconds, that the
browser should remember that this site is only accessed through https.
The HSTS header (Strict-Transport-Security) is not set in server responses.
Business Impact/Attack Scenario
"When the browser loads the insecure resource it makes a request over plain
HTTP and can also send the user's session cookie along with it. An attacker
that can intercept the request using networking sniffing techniques can use the
cookie to hijack the user's account. Man-in-the-middle attacks can be executed,
where the attacker is in a position to intercept a user's connection with a
website.
>From the client browser side, HTTP requests are possible until the request
>reaches the server and instructs the browser to use HTTPS. This allows for
>unencrypted communications in the initial request(s).
A web application may inadvertently contain HTTP links instead of HTTPS links.
This allows an attacker to be able to inject malicious code in the HTTP
requests and server responses.
Without the HSTS header, HTTPS click through prompts on browsers cannot be
prevented. This will allow an attacker to see the HTTPS requests and responses
in unencrypted form.
SSL Stripping:
The SSL stripping attack works (on TLS as well) by transparently converting a
secure HTTPS connection into a plain HTTP connection. The user can see that the
connection is insecure, but crucially there is no way of knowing whether the
connection should be secure. Many websites do not use TLS/SSL, therefore there
is no way of knowing (without prior knowledge) whether the use of plain HTTP is
due to an attack, or simply because the website hasn't implemented TLS/SSL.
Additionally, no warnings are presented to the user during the downgrade
process, making the attack fairly subtle to all but the most vigilant.
Marlinspike's sslstrip tool fully automates the attack."
Recommendation
"HSTS addresses the following threats:
- User bookmarks or manually types example.com and is subject to a
man-in-the-middle attacker
-> HSTS automatically redirects HTTP requests to HTTPS for the target domain.
- Web application that is intended to be purely HTTPS inadvertently contains
HTTP links or serves content over HTTP
-> HSTS automatically redirects HTTP requests to HTTPS for the target domain
- A man-in-the-middle attacker attempts to intercept traffic from a victim user
using an invalid certificate and hopes the user will accept the bad certificate
-> HSTS does not allow a user to override the invalid certificate message
If you wish to implement a fix for the web application solution below:
For websites or applications with private and confidential information, this
security policy must be employed in its HTTP Response header for HTTPS
connections: "Strict-Transport-Security: max-age=31536000".
Reference:
http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata
https://tools.ietf.org/html/rfc6797
http://www.thoughtcrime.org/software/sslstrip/
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
The Internet Engineering Task Force (IETF) released the specification under
RFC6797"
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
