Page MenuHomePhabricator

Preload HSTS
Closed, ResolvedPublic

Description

We should aim for putting our primary domains onto browsers' HSTS Preload lists. This requires includeSubdomains, which creates multiple pragmatic issues for us right now. We may not be able to includeSubdomains on wikimedia.org any time in the near future due to all of the unrelated services in that domain. For the others (e.g. wikipedia.org, wikiversity.org, etc) the primary blockers are the random too-deep subdomains that we need to eliminate first, linked in blocked-by tickets here.

Details

Related Gerrit Patches:

Related Objects

StatusAssignedTask
OpenBBlack
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedNone
DeclinedKrinkle
ResolvedJgreen
ResolvedChmarkine
ResolvedBBlack
ResolvedKrenair
ResolvedJgreen
ResolvedRobH
DuplicateNone
ResolvedBBlack
InvalidNone
ResolvedBBlack
ResolvedDzahn
Resolved ezachte
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedDzahn
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack

Event Timeline

BBlack created this task.Jun 29 2015, 7:48 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack added a subscriber: BBlack.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJun 29 2015, 7:48 PM

Change 222270 had a related patch set uploaded (by Chmarkine):
Wikidata - HSTS include subdomains and preload

https://gerrit.wikimedia.org/r/222270

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 2 2015, 10:32 AM
Chmarkine set Security to None.

Change 222270 merged by BBlack:
Wikidata - HSTS include subdomains and preload

https://gerrit.wikimedia.org/r/222270

Change 223054 had a related patch set uploaded (by Chmarkine):
HSTS preload for Mediawiki and Wikimediafoundation

https://gerrit.wikimedia.org/r/223054

Restricted Application added a subscriber: MGChecker. · View Herald TranscriptJul 6 2015, 4:34 PM

Change 223054 merged by BBlack:
HSTS preload for Mediawiki and Wikimediafoundation

https://gerrit.wikimedia.org/r/223054

Change 223207 had a related patch set uploaded (by BBlack):
HSTS: preload for all certs except wiki[pm]edia.org

https://gerrit.wikimedia.org/r/223207

Change 223207 merged by BBlack:
HSTS: preload for all certs except wiki[pm]edia.org

https://gerrit.wikimedia.org/r/223207

BBlack moved this task from Triage to In Progress on the Traffic board.Jul 13 2015, 7:04 PM
fgiunchedi assigned this task to BBlack.Jul 20 2015, 1:21 PM
fgiunchedi added a subscriber: fgiunchedi.

Change 227455 had a related patch set uploaded (by BBlack):
Add HSTS preload for wikipedia.org, refactor related regexes

https://gerrit.wikimedia.org/r/227455

Change 227455 merged by BBlack:
Add HSTS preload for wikipedia.org, refactor related regexes

https://gerrit.wikimedia.org/r/227455

Status update:
We've submitted all of the primary domains from our unified cert to the HSTS preload list, with the exception of wikimedia.org. This means the following list is preloaded (implies includeSubdomains):

wikipedia.org
wikibooks.org
wikinews.org
wikiquote.org
wikisource.org
wikiversity.org
wikivoyage.org
wikidata.org
wikimediafoundation.org
wiktionary.org
mediawiki.org

They were submitted in 3 batches with some timing gaps: first just wikidata.org, then most of the rest, and then finally wikipedia.org. All but wikipedia.org now appear in the Chromium project's git repo @ https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json (wikipedia.org was just submitted today, so it will get committed in a future batch update, probably sometime in the next week or two). This means they're all destined for some future release of FF, Chrome, Safari, and IE (11/Edge), but it could be several weeks or months before all of these browsers do new releases that include these new Preload updates. I haven't seen even wikidata.org appear in stable Chrome updates yet.

Before wikimedia.org is ready to preload, how about emailing agl@chromium.org to request preloading some high traffic and sensitive subdomains of wikimedia.org, like commons, donate, payments, etc.?

Technically, I think we can do that without a custom exception. We'd need to do a few things on our end regardless:

  1. Actually fix those cases (e.g. right now, www.commons still exists as well and needs killing)
  2. Change our HSTS output code to output "includeSub; preload" just for the sensitive hostnames, but not for wikimedia.org itself
  3. Submit them one by one.

But really, I'd rather hold off on going down that road just a little bit longer, at least until we've got a firm picture of the future path of this whole wikimedia.org problem. If we cave and start doing them one by one, it takes pressure off of solving the more-general problem and makes our lives more of a PITA to boot. It's unnecessarily complex for us and unnecessarily bloats the chromium list, and we may yet find a better solution for the remaining problems. The really fundamental issue here (more fundamental than the email.donate problems and such) is that wikimedia.org has two purposes in life which conflict for HTTPS/HSTS/HPKP purposes:

  1. The domainname in which a bunch of important public virtual service endpoints exist, like commons, meta, phabricator, payments, etc...
  2. The default domainname of absolutely everything in our infrastructure which just happens to have a public IP, including all kinds of things that aren't really public services: random individual machines that are accessed over their wikimedia.org hostnames for internal traffic, etc.

If we could rewind time, we'd probably split those purposes into two discrete domainnames to solve this problem. Another related option is to move almost all individual servers out of wikimedia.org and into our private network/DNS and mandate that LVS-routing is used to send public IP traffic into private HTTP(S) servers. Regardless, the primary pragmatic issues all revolve around Fundraising right now, and we're going to have some meetings with them to hash out options soon.

wikipedia.org is already on the preload list! Among Alexa Top 10 websites, Wikipedia is the only one that has all subdomains preloaded!
https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json#3319
https://twitter.com/konklone/status/626538394202570752

BBlack moved this task from In Progress to Up Next on the Traffic board.Nov 30 2015, 6:03 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 19 2016, 5:03 PM
BBlack closed this task as Resolved.Jun 6 2016, 10:55 PM