Page MenuHomePhabricator

store.wikimedia.org HTTPS issues
Open, NormalPublic

Description

store.wikimedia.org HTTPS issues:

  • needs HSTS header, which should be: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    • Currently has Strict-Transport-Security: max-age=7776000

Event Timeline

Chmarkine created this task.Mar 2 2016, 7:51 AM
Restricted Application added a project: Traffic. · View Herald TranscriptMar 2 2016, 7:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Restricted Application added a project: Operations. · View Herald TranscriptMar 2 2016, 7:52 AM
Ppena added a comment.Mar 2 2016, 2:43 PM

Hi @Chmarkine. We don't have anyone with a tech/ops background working for the store at the moment < waiting volunteers> :)!!

Can you please explain a little what setting the HSTS header means and what is the urgency on this? Thanks!

Krenair added a subscriber: Krenair.Mar 2 2016, 4:10 PM

We don't have anyone with a tech/ops background working for the store at the moment < waiting volunteers> :)!!

Since it's hosted by someone other than Wikimedia, I don't think that's an option?

Dzahn added a comment.Mar 2 2016, 5:57 PM

Yea, i was gonna say, that would be possible if store was running on our own infrastructure, but it's all external on shopify.com.

Dzahn added a comment.EditedMar 2 2016, 6:05 PM

Can you please explain a little what setting the HSTS header means and what is the urgency on this? Thanks!

Setting the HSTS header means that the webserver will tell the clients (browsers) "only ever use https to connect to this site and never http again". So it ensures that it's only possible to talk to this site using a secure (encrypted) connection. It protects against certain kinds of attacks where a client is convinced to "downgrade" to http which means data is not encrypted anymore and potential attackers can sniff traffic and get private data out of it. In the worst case this could be credit card data in the case of a shop. The tricky part is that once you turn this on you can't simply revert it if something goes wrong, so you have to be sure that you are ready to do this. Shopify must be sure that all parts of the shop system are https-only and stay like that in the future.

Also see https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Ppena added a comment.Mar 2 2016, 7:16 PM

@Dzahn got it, thanks for explaining in plain english, Dan ;)

I will email Shopify and ask them about it, but unfortunately I don't think we have leverage to make them enable HSTS header if they are not already planning to :)

hi @Ppena, did shopify come back to you with an answer? thanks!

fgiunchedi triaged this task as Normal priority.Apr 27 2016, 1:13 PM
BBlack renamed this task from https://store.wikimedia.org doesn't set HSTS header to store.wikimedia.org HTTPS issues.Jul 27 2016, 7:13 PM
BBlack updated the task description. (Show Details)
BBlack added a subscriber: BBlack.

Fixed up title and description to match what we need out of it today, rather than old audit data and/or old targets.

BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:47 PM

@Ppena (or anyone) - who's responsible in the WMF for store.wikimedia.org? This is a pretty basic request and it's been outstanding for months. It's one of the few non-confirming exceptions to our HTTPS policy remaining!

Dzahn added a comment.Dec 19 2016, 6:24 PM

found quote from a mail from Seddon "Change in management.. Wikipedia Store project has moved under Michael Beattie.. Sandra Hust [2] will be the primary contact for internal orders, questions and operations, while Michael Beattie will be responsible for the management of the project itself."

Dzahn added a subscriber: MBeat33.Dec 19 2016, 6:26 PM

Hey @BBlack,

Apologies, this got dropped. Either myself or @MBeat33 will get back to you as to whether we can actually make this change or not, although my hopes are not that high.

Seddon

Any updates here? What we're asking for here is a modern HTTPS-only configuration. I'd think an e-commerce vendor would be all about that...

@Jseddon @MBeat33 - ping again? The redirect appears to work currently, but still no HSTS header.

BBlack updated the task description. (Show Details)Jul 11 2017, 5:29 PM

It seems like Shopify has been making some improvements on this front since we last checked.

I google'd around a bit to see what I could see about Shopify's current level of support myself. What I found was https://help.shopify.com/manual/domains/ssl which says: HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is three months (90 days).

I suspect this means that whoever has the admin control panel for our Shopify site should be able to turn on HSTS through some standard configuration setting, and probably set a custom length of 1 year as well. The help page doesn't indicate whether their settings allow turning on includeSub and/or preload, but even if those turn out to be missing, some HSTS would be better than none at all. We can always file a support request afterwards asking for those additional attributes to be configurable.

BBlack updated the task description. (Show Details)Jul 14 2017, 8:05 PM

Digging a little deeper, Shopify open-sources a lot of their infrastructure code. It seems likely that they already support the appropriate attributes at least in the lower levels of their stack (who knows in the user interface), as the specific options exist in their modified clone of Rails: https://github.com/Shopify/rails-mirror/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L20

Hey @BBlack,

Been working on this over the last week.

The short: We have HSTS but its set to 90 days. Shopify have confirmed that this can be extended in length but they can’t set preload and includeSubDomains on the store at this point in time.

The long:

So the store does have a HSTS header https://www.ssllabs.com/ssltest/analyze.html?d=store.wikimedia.org&hideResults=on

However the age is only 90 days. Shopify confirmed that this is set by default. This does run slight contrary to shopify's own software production stack which has a default length of 180 days.

They can adjust the stores hsts_age however the header is set for all domains on the store. And currently they do not have domain specific HSTS header options, it’s a all or nothing situation which works fine for us.

Whilst we are currently hosted by Spotify themselves, they can’t set preload and includeSubDomains on the store. In the future this may be an option - but right now its not.

This latter option i think would be different if we were host independently of Shopify but with the current setup not achievable.

NEXT STEPS:

Currently having some issues in getting store ownership transferred so once that's sorted we can look at getting this HSTS change done. I might be able to get that started this evening but if not it will be when I come back from leave on October 2nd.

Thanks for the updates! Even a 90d HSTS without the preload/includeSub flags is better than nothing. If we can get the time extended out to 1y that's even better. Of the two missing attributes, preload is the more important of the two. I suspect Shopify will be getting increasing pressure about all of these things from customers over time, so hopefully the situation will continue to improve.

BBlack updated the task description. (Show Details)Sep 22 2017, 1:09 PM

The store HSTS header now has max-age=31557600, but still no includeSubDomains or preload.

jeremyb added a subscriber: jeremyb.Dec 2 2018, 8:49 PM