Feature #9102
Get tails.boum.org on the Chrome HSTS preload list
100%
Description
The preload list form Chrome is based on HSTS, and available in full here:
They pin their CA but not their public key directly.
They have a dedicated site to request for inclusion:
https://hstspreload.appspot.com/
I’m not sure we could apply according to “Serve all subdomains over
HTTPS”. Sure “tails.boum.org” serves everything as HTTPS and
“dl.amnesia.boum.org” is not a subdomain of “tails.boum.org”. But the
cert is issued to “boum.org”, which doesn’t comply with this rule.
mayfirst.org is in there so we might as well ask dkg for more details.
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-06-21 | |
Blocked by Tails - |
Resolved | 2014-10-31 |
History
#1 Updated by sajolida 2015-03-24 14:57:41
- blocked by
Feature #8192: Have HTTPS on all the subdomains of tails.boum.org added
#2 Updated by jvoisin 2015-11-27 11:52:12
I sent the following email to root@b.o exactly on month ago, and I sent another one today:
> Hello,
> I’d like to put tails.boum.org in Google’s HSTS preload list[1],
> to close this[2] issue, but for this, I’ll need you to add the “preload”
> and “includeSubdomains” keywords to your HSTS setup, and to also serve
> this header on the redirection that you have on the http(80) website.
>
> You can find the details about the “why” and “how” on the webpage of the
> HSTS preloading thing[3].
>
> Thank you very much for hosting the Tails website, I’ll be happy to
> answer any questions you may have.
>
>
> Have a nice day,
>
> 1 and 3. https://hstspreload.appspot.com/
> 2. https://labs.riseup.net/code/issues/8191
There is little that I can do without having the people behind boum.org setting the right headers.
#3 Updated by intrigeri 2015-11-29 10:58:50
Thanks for giving a hand!
> There is little that I can do without having the people behind boum.org setting the right headers.
Last time I checked, this ticket was marked as blocked by Feature #8192 for a reason, so I think they should not to the change you requested yet. If I got it wrong, please explain me why :) If I got it right, please ask root@b.o to hold on. Thanks in advance!
#4 Updated by intrigeri 2015-12-20 10:06:40
intrigeri wrote:
> Last time I checked, this ticket was marked as blocked by Feature #8192 for a reason, so I think they should not to the change you requested yet. If I got it wrong, please explain me why :)
jvoisin says: “I think you’re right”.
> If I got it right, please ask root@b.o to hold on.
Done.
#5 Updated by intrigeri 2016-08-27 10:07:14
- Target version set to 2018
#6 Updated by intrigeri 2016-08-27 10:07:42
- Target version deleted (
2018)
(Actually I’ll keep only the parent ticket on the roadmap, to make it easier to understand.)
#7 Updated by intrigeri 2016-10-14 19:35:57
- blocked by
Feature #9796: HTTPS mirrors added
#8 Updated by intrigeri 2016-10-14 19:36:57
#9 Updated by intrigeri 2016-10-14 19:59:09
- Status changed from Confirmed to In Progress
- Assignee set to intrigeri
- % Done changed from 0 to 10
- Type of work changed from Research to Sysadmin
intrigeri wrote:
> Meanwhile, I’ll write to the HSTS Preload List Submission website administrators to request an exception.
Done!
#10 Updated by intrigeri 2016-12-06 17:18:18
- % Done changed from 10 to 50
The requested exception was granted, and tails.b.o is now in the draft changes for Chrome 57, so Feature #9796 is no longer a blocker for this ticket :)
#11 Updated by intrigeri 2016-12-06 17:18:23
- blocks deleted (
)Feature #9796: HTTPS mirrors
#12 Updated by intrigeri 2016-12-06 17:18:30
- related to
Feature #9796: HTTPS mirrors added
#13 Updated by intrigeri 2016-12-06 17:28:24
- Target version set to Tails_2.11
If I got it right, Chrome 57 will become stable early in March next year.
#14 Updated by intrigeri 2016-12-06 17:30:47
- Type of work changed from Sysadmin to Wait
#15 Updated by sajolida 2016-12-07 08:10:48
Yeah!
#16 Updated by intrigeri 2017-03-03 10:13:06
- Target version changed from Tails_2.11 to Tails_2.12
Chrome 57 is scheduled for March 14.
#17 Updated by intrigeri 2017-03-16 11:14:31
We’re on https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json and in the sources of chromium-browser 57.0.2987.98-1.
#18 Updated by intrigeri 2017-03-16 11:15:06
- Status changed from In Progress to Resolved
- Assignee deleted (
intrigeri) - % Done changed from 50 to 100