Univention Bugzilla – Bug 37637
Support HTTP Strict Transport Security (HSTS)
Last modified: 2015-10-28 13:21:54 CET
HSTS is a mechanism to enforce website encryption and is designed to mitigate certain man-in-the-middle-attacks. Basically, HSTS informs the browser to always attempt to access the site using HTTPS instead of HTTP¹. This adds security by default in terms of mixed content issues, cookie security and e.g. preventing HTTPS stripping attacks². I consider this a desirable feature, especially if one makes a webservice publicly available (think: cloud, webmail etc). Enabling HSTS should be as easy as adding the following line to the <VirtualHost *:443>-Section: > Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" An additional security feature of HSTS is that all certificate errors are treated as fatal - that means the user is NOT allowed to click through and add an exception if the browser does not trust the certificate. Unfortunately this is not desirable in a default UCS scenario since the certificates there are self-signed. So to make use of HSTS one has either to import the UCS CA root certificate in the browsers trusted store or to use a certificate that is signed by a trusted CA. Because of this, HSTS should be disabled by default and documentation provided on how to enable it. To make full use of HSTS/HTTPS-only one has to also redirect HTTP to HTTPS via apache (see Bug 25647) (e.g. for HSTS to kick in it is required that the browser has intentionally accessed the HTTPS-site once before). Alternatively browsers maintain a built-in list (preload) of domains that are known to have HSTS deployed. So far one has to contact the browser vendors to get on these lists³. ¹ https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security ² http://www.thoughtcrime.org/software/sslstrip/ ³ https://hstspreload.appspot.com/
Since version 8.1 ownCloud is checking if HSTS is enabled. The Admin section shows under "Security & setup warnings": "The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips." (linking to http://doc.owncloud.com/server/8.1/admin_manual/configuration_server/harden_server.html)
Created attachment 7177 [details] Enable HSTS via UCR Attached a possible patch. Tested with: # ucr set apache2/hsts/enabled=yes \ apache2/hsts/max-age=15768000 \ apache2/hsts/includeSubDomains=yes # service apache2 reload # curl -I https://$(hostname -f) -k
r64430 | Bug #37637 Apache: Support HTTP Strict-Transport-Security (HSTS) Applied patch with "/enabled" dropped. Added parsing of time spans [wdhms] Package: univention-apache Version: 7.0.16-16.248.201510131207 Branch: ucs_4.0-0 Scope: errata4.0-3 r64431 | Bug #37637 Apache: Support HTTP Strict-Transport-Security (HSTS) YAML 2015-10-13-univention-apache.yaml QA: ucr set apache2/hsts=yes apache2ctl configtest # /var/lib/dpkg/info/univention-apache.postinst:a2enmod headers apache2ctl graceful Use "$EDITOR /etc/hosts" to add name-2-IP mapping; IP address will *not* work! Download and install Root certificate from http://master/ucs-root-ca.crt go to <https://master/> go to <http://master/> - should redirect you to <https://master/>
r64433 | Bug #37637 Apache: Support HTTP Strict-Transport-Security (HSTS) Merges to UCS-4.1-0: multi-file-template there
Tests: OK Advisory: OK Code review: OK
<http://errata.software-univention.de/ucs/4.0/349.html>