Page MenuHomePhabricator
Create Task
Maniphest T104244

Preload HSTS
Closed, ResolvedPublic
Actions

Description

We should aim for putting our primary domains onto browsers' HSTS Preload lists. This requires includeSubdomains, which creates multiple pragmatic issues for us right now. We may not be able to includeSubdomains on wikimedia.org any time in the near future due to all of the unrelated services in that domain. For the others (e.g. wikipedia.org, wikiversity.org, etc) the primary blockers are the random too-deep subdomains that we need to eliminate first, linked in blocked-by tickets here.

Details

SubjectRepoBranchLines +/-
Add HSTS preload for wikipedia.org, refactor related regexesoperations/puppetproduction+11 -3
HSTS: preload for all certs except wiki[pm]edia.orgoperations/puppetproduction+1 -1
HSTS preload for Mediawiki and Wikimediafoundationoperations/puppetproduction+1 -1
Wikidata - HSTS include subdomains and preloadoperations/puppetproduction+6 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedNoneT37313 SSL cert invalid for bugzilla.wikipedia.org redirect
 DeclinedKrinkleT38126 *.mobile.wikipedia.org domains are using invalid SSL certificate
 ResolvedJgreenT88199 Enable HSTS on https://payments.wikimedia.org
 ResolvedChmarkineT90527 Enable HSTS and point rel=canonical to HTTPS for all Russian Wikimedia projects
 ResolvedBBlackT132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
 ResolvedKrenairT133360 Fix wikitech-static TLS config
 ResolvedJgreenT137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains
 ResolvedRobHT170140 revoke benefactorevents.wikimedia.org SSL certificate
 DuplicateNoneT137915 stream.wikimedia.org doesn't redirect to HTTPS
 ResolvedBBlackT105905 Switch blog to HTTPS-only
 InvalidNoneT64488 Wikimedia blog has unsecured elements on https
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedDzahnT103773 check if services behind misc-web enforce http->https redirect or not
 Resolved ezachteT93702 Fix the mixed content issue on Wikimedia Statistics
 ResolvedBBlackT132459 HTTPS redirects for config-master.wikimedia.org
 ResolvedBBlackT132460 HTTPS redirects for git.wikimedia.org
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132462 HTTPS redirects for parsoid-tests.wikimedia.org
 ResolvedBBlackT132463 HTTPS redirects for datasets.wikimedia.org
 ResolvedBBlackT132464 HTTPS redirects for transparency.wikimedia.org
 ResolvedBBlackT132465 HTTPS redirects for stats.wikimedia.org
 ResolvedDzahnT132543 enable HSTS on *.planet.wikimedia.org
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

BBlack created this task.Jun 29 2015, 7:48 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJun 29 2015, 7:48 PM
BBlack triaged this task as Medium priority.Jun 29 2015, 7:49 PM
BBlack added subtasks: T102814: Decom old multiple-subdomain wikis in wikipedia.org, T102815: Decom www.$lang hostnames/redirects, T102826: Fix/decom multiple-subdomain wikis in wikimedia.org.
MoritzMuehlenhoff subscribed.Jun 29 2015, 7:55 PM
Chmarkine subscribed.Jun 30 2015, 9:45 AM
gerritbot subscribed.Jul 2 2015, 10:32 AM

Change 222270 had a related patch set uploaded (by Chmarkine):
Wikidata - HSTS include subdomains and preload

https://gerrit.wikimedia.org/r/222270

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 2 2015, 10:32 AM
gerritbot added a project: Patch-For-Review.Jul 2 2015, 10:32 AM
Chmarkine added a project: HTTPS-by-default.Jul 2 2015, 1:56 PM
Chmarkine set Security to None.
Chmarkine added a parent task: T40516: Enable HSTS on Wikimedia sites.Jul 2 2015, 1:58 PM
gerritbot added a comment.Jul 2 2015, 2:24 PM

Change 222270 merged by BBlack:
Wikidata - HSTS include subdomains and preload

https://gerrit.wikimedia.org/r/222270

BBlack mentioned this in rOPUP76b5f31f8bef: Wikidata - HSTS include subdomains and preload.Jul 2 2015, 2:25 PM
BBlack mentioned this in T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 4:58 AM
BBlack added a parent task: T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 5:00 AM
gerritbot added a comment.Jul 6 2015, 4:34 PM

Change 223054 had a related patch set uploaded (by Chmarkine):
HSTS preload for Mediawiki and Wikimediafoundation

https://gerrit.wikimedia.org/r/223054

Restricted Application added a subscriber: MGChecker. · View Herald TranscriptJul 6 2015, 4:34 PM
gerritbot added a comment.Jul 6 2015, 4:50 PM

Change 223054 merged by BBlack:
HSTS preload for Mediawiki and Wikimediafoundation

https://gerrit.wikimedia.org/r/223054

Chmarkine mentioned this in rOPUPee9f662c3dff: HSTS preload for Mediawiki and Wikimediafoundation.Jul 6 2015, 4:51 PM
BBlack closed subtask T102815: Decom www.$lang hostnames/redirects as Resolved.Jul 6 2015, 5:27 PM
gerritbot added a comment.Jul 7 2015, 12:06 AM

Change 223207 had a related patch set uploaded (by BBlack):
HSTS: preload for all certs except wiki[pm]edia.org

https://gerrit.wikimedia.org/r/223207

gerritbot added a comment.Jul 7 2015, 12:07 AM

Change 223207 merged by BBlack:
HSTS: preload for all certs except wiki[pm]edia.org

https://gerrit.wikimedia.org/r/223207

BBlack mentioned this in rOPUPd6803a24adb2: HSTS: preload for all certs except wiki[pm]edia.org.Jul 7 2015, 12:07 AM
BBlack added a subtask: T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.Jul 7 2015, 5:35 AM
MGChecker unsubscribed.Jul 7 2015, 12:01 PM
Jackmcbarn subscribed.Jul 7 2015, 11:59 PM
BBlack moved this task from Backlog to Traffic team actively servicing on the Traffic board.Jul 13 2015, 7:04 PM
fgiunchedi assigned this task to BBlack.Jul 20 2015, 1:21 PM
fgiunchedi subscribed.
BBlack closed subtask T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org as Resolved.Jul 27 2015, 12:51 PM
BBlack removed a subtask: T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.Jul 27 2015, 1:13 PM
BBlack closed subtask T102814: Decom old multiple-subdomain wikis in wikipedia.org as Resolved.Jul 28 2015, 2:55 PM
gerritbot added a comment.Jul 28 2015, 3:13 PM

Change 227455 had a related patch set uploaded (by BBlack):
Add HSTS preload for wikipedia.org, refactor related regexes

https://gerrit.wikimedia.org/r/227455

gerritbot added a comment.Jul 28 2015, 4:54 PM

Change 227455 merged by BBlack:
Add HSTS preload for wikipedia.org, refactor related regexes

https://gerrit.wikimedia.org/r/227455

BBlack added a comment.Jul 28 2015, 5:57 PM

Status update:
We've submitted all of the primary domains from our unified cert to the HSTS preload list, with the exception of wikimedia.org. This means the following list is preloaded (implies includeSubdomains):

wikipedia.org
wikibooks.org
wikinews.org
wikiquote.org
wikisource.org
wikiversity.org
wikivoyage.org
wikidata.org
wikimediafoundation.org
wiktionary.org
mediawiki.org

They were submitted in 3 batches with some timing gaps: first just wikidata.org, then most of the rest, and then finally wikipedia.org. All but wikipedia.org now appear in the Chromium project's git repo @ https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json (wikipedia.org was just submitted today, so it will get committed in a future batch update, probably sometime in the next week or two). This means they're all destined for some future release of FF, Chrome, Safari, and IE (11/Edge), but it could be several weeks or months before all of these browsers do new releases that include these new Preload updates. I haven't seen even wikidata.org appear in stable Chrome updates yet.

MZMcBride subscribed.Jul 29 2015, 2:44 AM
Chmarkine added a comment.Jul 29 2015, 11:45 AM

Before wikimedia.org is ready to preload, how about emailing agl@chromium.org to request preloading some high traffic and sensitive subdomains of wikimedia.org, like commons, donate, payments, etc.?

BBlack added a comment.Jul 29 2015, 12:23 PM

Technically, I think we can do that without a custom exception. We'd need to do a few things on our end regardless:

  1. Actually fix those cases (e.g. right now, www.commons still exists as well and needs killing)
  2. Change our HSTS output code to output "includeSub; preload" just for the sensitive hostnames, but not for wikimedia.org itself
  3. Submit them one by one.

But really, I'd rather hold off on going down that road just a little bit longer, at least until we've got a firm picture of the future path of this whole wikimedia.org problem. If we cave and start doing them one by one, it takes pressure off of solving the more-general problem and makes our lives more of a PITA to boot. It's unnecessarily complex for us and unnecessarily bloats the chromium list, and we may yet find a better solution for the remaining problems. The really fundamental issue here (more fundamental than the email.donate problems and such) is that wikimedia.org has two purposes in life which conflict for HTTPS/HSTS/HPKP purposes:

  1. The domainname in which a bunch of important public virtual service endpoints exist, like commons, meta, phabricator, payments, etc...
  2. The default domainname of absolutely everything in our infrastructure which just happens to have a public IP, including all kinds of things that aren't really public services: random individual machines that are accessed over their wikimedia.org hostnames for internal traffic, etc.

If we could rewind time, we'd probably split those purposes into two discrete domainnames to solve this problem. Another related option is to move almost all individual servers out of wikimedia.org and into our private network/DNS and mandate that LVS-routing is used to send public IP traffic into private HTTP(S) servers. Regardless, the primary pragmatic issues all revolve around Fundraising right now, and we're going to have some meetings with them to hash out options soon.

Chmarkine added a comment.Jul 30 2015, 7:50 AM

wikipedia.org is already on the preload list! Among Alexa Top 10 websites, Wikipedia is the only one that has all subdomains preloaded!
https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json#3319
https://twitter.com/konklone/status/626538394202570752

BBlack mentioned this in rOPUP74075510f0b8: Add HSTS preload for wikipedia.org, refactor related regexes.Jul 30 2015, 10:16 PM
Tbayer subscribed.Aug 4 2015, 12:20 AM
BBlack edited projects, added HTTPS; removed HTTPS-by-default, Patch-For-Review.Aug 7 2015, 4:08 PM
BBlack closed subtask T102826: Fix/decom multiple-subdomain wikis in wikimedia.org as Resolved.Sep 15 2015, 1:03 AM
BBlack added a subtask: T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.
BBlack moved this task from Traffic team actively servicing to Upcoming on the Traffic board.Nov 30 2015, 6:03 PM
BBlack closed subtask T111967: Preload HSTS for select hostnames within wikimedia.org as Declined.Apr 12 2016, 11:43 AM
BBlack removed a parent task: T40516: Enable HSTS on Wikimedia sites.
BBlack added a subtask: T40516: Enable HSTS on Wikimedia sites.Apr 12 2016, 11:47 AM
BBlack added a subtask: T132452: HSTS preload for wmfusercontent.org.Apr 12 2016, 2:52 PM
BBlack closed subtask T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS as Resolved.Apr 12 2016, 3:58 PM
BBlack created subtask T132685: Preload STS for wikimedia.org.Apr 14 2016, 1:44 PM
BBlack closed subtask T132452: HSTS preload for wmfusercontent.org as Resolved.Apr 19 2016, 5:03 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 19 2016, 5:03 PM
BBlack closed this task as Resolved.Jun 6 2016, 10:55 PM
BBlack closed subtask T132685: Preload STS for wikimedia.org as Resolved.
BBlack closed subtask T40516: Enable HSTS on Wikimedia sites as Resolved.Jun 14 2016, 10:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL