[jira] [Assigned] (RANGER-2833) Enforcing Strict transport security

Thu, 21 May 2020 04:10:20 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav reassigned RANGER-2833:
-----------------------------------------

    Assignee: Dineshkumar Yadav

> Enforcing Strict transport security
> -----------------------------------
>
>                 Key: RANGER-2833
>                 URL: https://issues.apache.org/jira/browse/RANGER-2833
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Dineshkumar Yadav
>            Assignee: Dineshkumar Yadav
>            Priority: Major
>
> Currently Strict-transport-security is not enforced on login.jsp 
> *Description*: The application fails to prevent users from connecting to it 
> over unencrypted connections. An attacker able to modify a legitimate user's 
> network traffic could bypass the application's use of SSL/TLS encryption, and 
> use the application as a platform for attacks against its users. This attack 
> is performed by rewriting HTTPS links as HTTP, so that if a targeted user 
> follows a link to the site from an HTTP page, their browser never attempts to 
> use an encrypted connection. The sslstrip tool automates this process.
> To exploit this vulnerability, an attacker must be suitably positioned to 
> intercept and modify the victim's network traffic.This scenario typically 
> occurs when a client communicates with the server over an insecure connection 
> such as public Wi-Fi, or a corporate or home network that is shared with a 
> compromised computer. Common defenses such as switched networks are not 
> sufficient to prevent this. An attacker situated in the user's ISP or the 
> application's hosting infrastructure could also perform this attack. Note 
> that an advanced adversary could potentially target any connection made over 
> the Internet's core infrastructure.
> *Mitigation*: The application should instruct web browsers to only access the 
> application using HTTPS. To do this, enable HTTP Strict Transport Security 
> (HSTS) by adding a response header with the name 'Strict-Transport-Security' 
> and the value 'max-age=expireTime', where expireTime is the time in seconds 
> that browsers should remember that the site should only be accessed using 
> HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
> Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who 
> has never accessed the application will never have seen the HSTS header, and 
> will therefore still be vulnerable to SSL stripping attacks. To mitigate this 
> risk, you can optionally add the 'preload' flag to the HSTS header, and 
> submit the domain for review by browser vendors.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to