[
https://issues.apache.org/jira/browse/RANGER-2833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dineshkumar Yadav updated RANGER-2833:
--------------------------------------
Description:
Currently Strict-transport-security is not enforced on login.jsp
*Description*: The application fails to prevent users from connecting to it
over unencrypted connections. An attacker able to modify a legitimate user's
network traffic could bypass the application's use of SSL/TLS encryption, and
use the application as a platform for attacks against its users. This attack is
performed by rewriting HTTPS links as HTTP, so that if a targeted user follows
a link to the site from an HTTP page, their browser never attempts to use an
encrypted connection. The sslstrip tool automates this process.
To exploit this vulnerability, an attacker must be suitably positioned to
intercept and modify the victim's network traffic.This scenario typically
occurs when a client communicates with the server over an insecure connection
such as public Wi-Fi, or a corporate or home network that is shared with a
compromised computer. Common defenses such as switched networks are not
sufficient to prevent this. An attacker situated in the user's ISP or the
application's hosting infrastructure could also perform this attack. Note that
an advanced adversary could potentially target any connection made over the
Internet's core infrastructure.
*Mitigation*: The application should instruct web browsers to only access the
application using HTTPS. To do this, enable HTTP Strict Transport Security
(HSTS) by adding a response header with the name 'Strict-Transport-Security'
and the value 'max-age=expireTime', where expireTime is the time in seconds
that browsers should remember that the site should only be accessed using
HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who
has never accessed the application will never have seen the HSTS header, and
will therefore still be vulnerable to SSL stripping attacks. To mitigate this
risk, you can optionally add the 'preload' flag to the HSTS header, and submit
the domain for review by browser vendors.
was:
Currently Strict transport security is not enforced on login.jsp
*Description*: The application fails to prevent users from connecting to it
over unencrypted connections. An attacker able to modify a legitimate user's
network traffic could bypass the application's use of SSL/TLS encryption, and
use the application as a platform for attacks against its users. This attack is
performed by rewriting HTTPS links as HTTP, so that if a targeted user follows
a link to the site from an HTTP page, their browser never attempts to use an
encrypted connection. The sslstrip tool automates this process.
To exploit this vulnerability, an attacker must be suitably positioned to
intercept and modify the victim's network traffic.This scenario typically
occurs when a client communicates with the server over an insecure connection
such as public Wi-Fi, or a corporate or home network that is shared with a
compromised computer. Common defenses such as switched networks are not
sufficient to prevent this. An attacker situated in the user's ISP or the
application's hosting infrastructure could also perform this attack. Note that
an advanced adversary could potentially target any connection made over the
Internet's core infrastructure.
*Mitigation*: The application should instruct web browsers to only access the
application using HTTPS. To do this, enable HTTP Strict Transport Security
(HSTS) by adding a response header with the name 'Strict-Transport-Security'
and the value 'max-age=expireTime', where expireTime is the time in seconds
that browsers should remember that the site should only be accessed using
HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who
has never accessed the application will never have seen the HSTS header, and
will therefore still be vulnerable to SSL stripping attacks. To mitigate this
risk, you can optionally add the 'preload' flag to the HSTS header, and submit
the domain for review by browser vendors.
> Enforcing Strict transport security
> -----------------------------------
>
> Key: RANGER-2833
> URL: https://issues.apache.org/jira/browse/RANGER-2833
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dineshkumar Yadav
> Priority: Major
>
> Currently Strict-transport-security is not enforced on login.jsp
> *Description*: The application fails to prevent users from connecting to it
> over unencrypted connections. An attacker able to modify a legitimate user's
> network traffic could bypass the application's use of SSL/TLS encryption, and
> use the application as a platform for attacks against its users. This attack
> is performed by rewriting HTTPS links as HTTP, so that if a targeted user
> follows a link to the site from an HTTP page, their browser never attempts to
> use an encrypted connection. The sslstrip tool automates this process.
> To exploit this vulnerability, an attacker must be suitably positioned to
> intercept and modify the victim's network traffic.This scenario typically
> occurs when a client communicates with the server over an insecure connection
> such as public Wi-Fi, or a corporate or home network that is shared with a
> compromised computer. Common defenses such as switched networks are not
> sufficient to prevent this. An attacker situated in the user's ISP or the
> application's hosting infrastructure could also perform this attack. Note
> that an advanced adversary could potentially target any connection made over
> the Internet's core infrastructure.
> *Mitigation*: The application should instruct web browsers to only access the
> application using HTTPS. To do this, enable HTTP Strict Transport Security
> (HSTS) by adding a response header with the name 'Strict-Transport-Security'
> and the value 'max-age=expireTime', where expireTime is the time in seconds
> that browsers should remember that the site should only be accessed using
> HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
> Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who
> has never accessed the application will never have seen the HSTS header, and
> will therefore still be vulnerable to SSL stripping attacks. To mitigate this
> risk, you can optionally add the 'preload' flag to the HSTS header, and
> submit the domain for review by browser vendors.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
