[
https://issues.apache.org/jira/browse/AIRFLOW-4180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ash Berlin-Taylor closed AIRFLOW-4180.
--------------------------------------
Resolution: Won't Fix
I don't recommend doing SSL termination in Airflow anyway, so this is not
Airflow's job.
> [security] Lack of HTTP Strict Transport Security (HSTS) Policy
> ---------------------------------------------------------------
>
> Key: AIRFLOW-4180
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4180
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: t oo
> Priority: Major
>
> The Airflow application does not have the HSTS header set. HTTP Strict
> Transport Security (HSTS) allows websites to declare themselves accessible
> only over HTTPS and was designed to prevent hackers from forcing user
> connections over HTTP or abusing mistakes in HTTPS implementations to
> compromise content integrity. When the browser connects over HTTPS to a
> website that supports HSTS, the site's strict transport security policy is
> saved and remembered for a specified amount of time. From that point forward,
> as long as the cached policy doesn't expire, the browser will refuse to
> initiate insecure connections with that website. This is the standard
> mechanism of HSTS: "Strict-Transport-Security: max-age=expiretime". The time,
> in seconds, that the browser should remember that this site is only accessed
> through https.
>
> The HSTS header (Strict-Transport-Security) is not set in server responses.
>
> Business Impact/Attack Scenario
> "When the browser loads the insecure resource it makes a request over plain
> HTTP and can also send the user's session cookie along with it. An attacker
> that can intercept the request using networking sniffing techniques can use
> the cookie to hijack the user's account. Man-in-the-middle attacks can be
> executed, where the attacker is in a position to intercept a user's
> connection with a website.
> From the client browser side, HTTP requests are possible until the request
> reaches the server and instructs the browser to use HTTPS. This allows for
> unencrypted communications in the initial request(s).
> A web application may inadvertently contain HTTP links instead of HTTPS
> links. This allows an attacker to be able to inject malicious code in the
> HTTP requests and server responses.
> Without the HSTS header, HTTPS click through prompts on browsers cannot be
> prevented. This will allow an attacker to see the HTTPS requests and
> responses in unencrypted form.
> SSL Stripping:
> The SSL stripping attack works (on TLS as well) by transparently converting a
> secure HTTPS connection into a plain HTTP connection. The user can see that
> the connection is insecure, but crucially there is no way of knowing whether
> the connection should be secure. Many websites do not use TLS/SSL, therefore
> there is no way of knowing (without prior knowledge) whether the use of plain
> HTTP is due to an attack, or simply because the website hasn't implemented
> TLS/SSL. Additionally, no warnings are presented to the user during the
> downgrade process, making the attack fairly subtle to all but the most
> vigilant. Marlinspike's sslstrip tool fully automates the attack."
>
> Recommendation
> "HSTS addresses the following threats:
> - User bookmarks or manually types example.com and is subject to a
> man-in-the-middle attacker
> -> HSTS automatically redirects HTTP requests to HTTPS for the target domain.
> - Web application that is intended to be purely HTTPS inadvertently contains
> HTTP links or serves content over HTTP
> -> HSTS automatically redirects HTTP requests to HTTPS for the target domain
> - A man-in-the-middle attacker attempts to intercept traffic from a victim
> user using an invalid certificate and hopes the user will accept the bad
> certificate
> -> HSTS does not allow a user to override the invalid certificate message
> If you wish to implement a fix for the web application solution below:
> For websites or applications with private and confidential information, this
> security policy must be employed in its HTTP Response header for HTTPS
> connections: "Strict-Transport-Security: max-age=31536000".
> Reference:
> http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata
> https://tools.ietf.org/html/rfc6797
> http://www.thoughtcrime.org/software/sslstrip/
> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> The Internet Engineering Task Force (IETF) released the specification under
> RFC6797"
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
