Page MenuHomePhabricator

Enable HSTS on store.wikimedia.org for HTTPS
Open, MediumPublic

Description

store.wikimedia.org HTTPS issues:

  • Currently has: Strict-Transport-Security: max-age=31557600
  • Needs: Strict-Transport-Security: max-age=31557600; includeSubDomains; preload

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Hi @Chmarkine. We don't have anyone with a tech/ops background working for the store at the moment < waiting volunteers> :)!!

Can you please explain a little what setting the HSTS header means and what is the urgency on this? Thanks!

We don't have anyone with a tech/ops background working for the store at the moment < waiting volunteers> :)!!

Since it's hosted by someone other than Wikimedia, I don't think that's an option?

Yea, i was gonna say, that would be possible if store was running on our own infrastructure, but it's all external on shopify.com.

Can you please explain a little what setting the HSTS header means and what is the urgency on this? Thanks!

Setting the HSTS header means that the webserver will tell the clients (browsers) "only ever use https to connect to this site and never http again". So it ensures that it's only possible to talk to this site using a secure (encrypted) connection. It protects against certain kinds of attacks where a client is convinced to "downgrade" to http which means data is not encrypted anymore and potential attackers can sniff traffic and get private data out of it. In the worst case this could be credit card data in the case of a shop. The tricky part is that once you turn this on you can't simply revert it if something goes wrong, so you have to be sure that you are ready to do this. Shopify must be sure that all parts of the shop system are https-only and stay like that in the future.

Also see https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

@Dzahn got it, thanks for explaining in plain english, Dan ;)

I will email Shopify and ask them about it, but unfortunately I don't think we have leverage to make them enable HSTS header if they are not already planning to :)

hi @Ppena, did shopify come back to you with an answer? thanks!

fgiunchedi triaged this task as Medium priority.Apr 27 2016, 1:13 PM
BBlack renamed this task from https://store.wikimedia.org doesn't set HSTS header to store.wikimedia.org HTTPS issues.Jul 27 2016, 7:13 PM
BBlack updated the task description. (Show Details)
BBlack added a subscriber: BBlack.

Fixed up title and description to match what we need out of it today, rather than old audit data and/or old targets.

@Ppena (or anyone) - who's responsible in the WMF for store.wikimedia.org? This is a pretty basic request and it's been outstanding for months. It's one of the few non-confirming exceptions to our HTTPS policy remaining!

found quote from a mail from Seddon "Change in management.. Wikipedia Store project has moved under Michael Beattie.. Sandra Hust [2] will be the primary contact for internal orders, questions and operations, while Michael Beattie will be responsible for the management of the project itself."

Hey @BBlack,

Apologies, this got dropped. Either myself or @MBeat33 will get back to you as to whether we can actually make this change or not, although my hopes are not that high.

Seddon

Any updates here? What we're asking for here is a modern HTTPS-only configuration. I'd think an e-commerce vendor would be all about that...

@Jseddon @MBeat33 - ping again? The redirect appears to work currently, but still no HSTS header.

It seems like Shopify has been making some improvements on this front since we last checked.

I google'd around a bit to see what I could see about Shopify's current level of support myself. What I found was https://help.shopify.com/manual/domains/ssl which says: HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is three months (90 days).

I suspect this means that whoever has the admin control panel for our Shopify site should be able to turn on HSTS through some standard configuration setting, and probably set a custom length of 1 year as well. The help page doesn't indicate whether their settings allow turning on includeSub and/or preload, but even if those turn out to be missing, some HSTS would be better than none at all. We can always file a support request afterwards asking for those additional attributes to be configurable.

Digging a little deeper, Shopify open-sources a lot of their infrastructure code. It seems likely that they already support the appropriate attributes at least in the lower levels of their stack (who knows in the user interface), as the specific options exist in their modified clone of Rails: https://github.com/Shopify/rails-mirror/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L20

Hey @BBlack,

Been working on this over the last week.

The short: We have HSTS but its set to 90 days. Shopify have confirmed that this can be extended in length but they can’t set preload and includeSubDomains on the store at this point in time.

The long:

So the store does have a HSTS header https://www.ssllabs.com/ssltest/analyze.html?d=store.wikimedia.org&hideResults=on

However the age is only 90 days. Shopify confirmed that this is set by default. This does run slight contrary to shopify's own software production stack which has a default length of 180 days.

They can adjust the stores hsts_age however the header is set for all domains on the store. And currently they do not have domain specific HSTS header options, it’s a all or nothing situation which works fine for us.

Whilst we are currently hosted by Spotify themselves, they can’t set preload and includeSubDomains on the store. In the future this may be an option - but right now its not.

This latter option i think would be different if we were host independently of Shopify but with the current setup not achievable.

NEXT STEPS:

Currently having some issues in getting store ownership transferred so once that's sorted we can look at getting this HSTS change done. I might be able to get that started this evening but if not it will be when I come back from leave on October 2nd.

Thanks for the updates! Even a 90d HSTS without the preload/includeSub flags is better than nothing. If we can get the time extended out to 1y that's even better. Of the two missing attributes, preload is the more important of the two. I suspect Shopify will be getting increasing pressure about all of these things from customers over time, so hopefully the situation will continue to improve.

The store HSTS header now has max-age=31557600, but still no includeSubDomains or preload.

Bump - Whomever's in charge of Shopify on our end, can we check if they've added support for includeSubdomains and preload now in some site setting?

@MBeat33: Could you maybe answer @BBlack's last question? Or do you know who could?
(Asking you because of https://phabricator.wikimedia.org/T228672#5358426 )

T228672 says nobody in charge of the Shop is even on Phabricator :(

Looks like we have to email merchandise@ to get this bumped.

This comment was removed by BBlack.

Hi all, @Jseddon is on leave, but this is on his agenda for when he returns. I know he's engaged with Shopify about this issue.

Update: sometime since I last checked, they've changed the header to: strict-transport-security: max-age=31557600 (~1 year, vs ~90 days before). Still missing the other attributes (preload and includeSubDomains)...

Krinkle renamed this task from store.wikimedia.org HTTPS issues to Enable HSTS on store.wikimedia.org for HTTPS.Mar 18 2020, 6:28 PM
Krinkle updated the task description. (Show Details)

Do we have a document somewhere describing the requirements of hosts pointed to by records under the wikimedia.org zone? If not should one be made and a compliance requirement date set?

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!