Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-4180

[security] Lack of HTTP Strict Transport Security (HSTS) Policy

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, ui
    • Labels:
      None

      Description

      The Airflow application does not have the HSTS header set. HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity. When the browser connects over HTTPS to a website that supports HSTS, the site's strict transport security policy is saved and remembered for a specified amount of time. From that point forward, as long as the cached policy doesn't expire, the browser will refuse to initiate insecure connections with that website. This is the standard mechanism of HSTS: "Strict-Transport-Security: max-age=expiretime". The time, in seconds, that the browser should remember that this site is only accessed through https.

      The HSTS header (Strict-Transport-Security) is not set in server responses.

      Business Impact/Attack Scenario
      "When the browser loads the insecure resource it makes a request over plain HTTP and can also send the user's session cookie along with it. An attacker that can intercept the request using networking sniffing techniques can use the cookie to hijack the user's account. Man-in-the-middle attacks can be executed, where the attacker is in a position to intercept a user's connection with a website.

      From the client browser side, HTTP requests are possible until the request reaches the server and instructs the browser to use HTTPS. This allows for unencrypted communications in the initial request(s).

      A web application may inadvertently contain HTTP links instead of HTTPS links. This allows an attacker to be able to inject malicious code in the HTTP requests and server responses.

      Without the HSTS header, HTTPS click through prompts on browsers cannot be prevented. This will allow an attacker to see the HTTPS requests and responses in unencrypted form.

      SSL Stripping:
      The SSL stripping attack works (on TLS as well) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn't implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack."

      Recommendation
      "HSTS addresses the following threats:

      • User bookmarks or manually types example.com and is subject to a man-in-the-middle attacker
        -> HSTS automatically redirects HTTP requests to HTTPS for the target domain.
      • Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
        -> HSTS automatically redirects HTTP requests to HTTPS for the target domain
      • A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
        -> HSTS does not allow a user to override the invalid certificate message

      If you wish to implement a fix for the web application solution below:

      For websites or applications with private and confidential information, this security policy must be employed in its HTTP Response header for HTTPS connections: "Strict-Transport-Security: max-age=31536000".

      Reference:
      http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata
      https://tools.ietf.org/html/rfc6797
      http://www.thoughtcrime.org/software/sslstrip/
      https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

      The Internet Engineering Task Force (IETF) released the specification under RFC6797"

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              toopt4 t oo
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: