Feature #9102: Get tails.boum.org on the Chrome HSTS preload list

Feature #9102

Get tails.boum.org on the Chrome HSTS preload list

Added by sajolida 2015-03-24 14:56:31 . Updated 2017-03-16 11:15:06 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Infrastructure

Target version:

Tails_2.12

Start date:

2015-03-24

Due date:

% Done:

100%

Feature Branch:

Type of work:

Wait

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

The preload list form Chrome is based on HSTS, and available in full here:

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json

They pin their CA but not their public key directly.

They have a dedicated site to request for inclusion:

https://hstspreload.appspot.com/

I’m not sure we could apply according to “Serve all subdomains over
HTTPS”. Sure “tails.boum.org” serves everything as HTTPS and
“dl.amnesia.boum.org” is not a subdomain of “tails.boum.org”. But the
cert is issued to “boum.org”, which doesn’t comply with this rule.

mayfirst.org is in there so we might as well ask dkg for more details.

Subtasks

Related issues

Related to Tails - ~~Feature #9796~~: HTTPS mirrors	Resolved	2017-06-21
Blocked by Tails - ~~Feature #8192~~: Have HTTPS on all the subdomains of tails.boum.org	Resolved	2014-10-31

History

#1 Updated by sajolida 2015-03-24 14:57:41

blocked by ~~Feature #8192~~: Have HTTPS on all the subdomains of tails.boum.org added

#2 Updated by jvoisin 2015-11-27 11:52:12

I sent the following email to root@b.o exactly on month ago, and I sent another one today:

> Hello,
> I’d like to put tails.boum.org in Google’s HSTS preload list[1],
> to close this[2] issue, but for this, I’ll need you to add the “preload”
> and “includeSubdomains” keywords to your HSTS setup, and to also serve
> this header on the redirection that you have on the http(80) website.
>
> You can find the details about the “why” and “how” on the webpage of the
> HSTS preloading thing[3].
>
> Thank you very much for hosting the Tails website, I’ll be happy to
> answer any questions you may have.
>
>
> Have a nice day,
>
> 1 and 3. https://hstspreload.appspot.com/
> 2. https://labs.riseup.net/code/issues/8191

There is little that I can do without having the people behind boum.org setting the right headers.

#3 Updated by intrigeri 2015-11-29 10:58:50

Thanks for giving a hand!

> There is little that I can do without having the people behind boum.org setting the right headers.

Last time I checked, this ticket was marked as blocked by ~~Feature #8192~~ for a reason, so I think they should not to the change you requested yet. If I got it wrong, please explain me why :) If I got it right, please ask root@b.o to hold on. Thanks in advance!

#4 Updated by intrigeri 2015-12-20 10:06:40

intrigeri wrote:
> Last time I checked, this ticket was marked as blocked by ~~Feature #8192~~ for a reason, so I think they should not to the change you requested yet. If I got it wrong, please explain me why :)

jvoisin says: “I think you’re right”.

> If I got it right, please ask root@b.o to hold on.

Done.

#5 Updated by intrigeri 2016-08-27 10:07:14

Target version set to 2018

#6 Updated by intrigeri 2016-08-27 10:07:42

Target version deleted (~~2018~~)

(Actually I’ll keep only the parent ticket on the roadmap, to make it easier to understand.)

#7 Updated by intrigeri 2016-10-14 19:35:57

blocked by ~~Feature #9796~~: HTTPS mirrors added

#8 Updated by intrigeri 2016-10-14 19:36:57

Feature #8192 is now done, so one blocker is gone. But https://hstspreload.appspot.com/?domain=tails.boum.org tells me “Please preload `boum.org` instead” as they “only accept automated preload list submissions of whole registered domains”. So it’s more complicated, as e.g. dl.amnesia.boum.org doesn’t do HTTPS yet (not sure if the only HTTP-only *.boum.org site). So I’m marking this ticket as blocked by ~~Feature #9796~~. Meanwhile, I’ll write to the HSTS Preload List Submission website administrators to request an exception.

#9 Updated by intrigeri 2016-10-14 19:59:09

Status changed from Confirmed to In Progress
Assignee set to intrigeri
% Done changed from 0 to 10
Type of work changed from Research to Sysadmin

intrigeri wrote:
> Meanwhile, I’ll write to the HSTS Preload List Submission website administrators to request an exception.

Done!

#10 Updated by intrigeri 2016-12-06 17:18:18

% Done changed from 10 to 50

The requested exception was granted, and tails.b.o is now in the draft changes for Chrome 57, so ~~Feature #9796~~ is no longer a blocker for this ticket :)

#11 Updated by intrigeri 2016-12-06 17:18:23

blocks deleted (~~~~Feature #9796~~: HTTPS mirrors~~)

#12 Updated by intrigeri 2016-12-06 17:18:30

related to ~~Feature #9796~~: HTTPS mirrors added

#13 Updated by intrigeri 2016-12-06 17:28:24

Target version set to Tails_2.11

If I got it right, Chrome 57 will become stable early in March next year.

#14 Updated by intrigeri 2016-12-06 17:30:47

Type of work changed from Sysadmin to Wait

#15 Updated by sajolida 2016-12-07 08:10:48

Yeah!

#16 Updated by intrigeri 2017-03-03 10:13:06

Target version changed from Tails_2.11 to Tails_2.12

Chrome 57 is scheduled for March 14.

#17 Updated by intrigeri 2017-03-16 11:14:31

We’re on https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json and in the sources of chromium-browser 57.0.2987.98-1.

#18 Updated by intrigeri 2017-03-16 11:15:06

Status changed from In Progress to Resolved
Assignee deleted (~~intrigeri~~)
% Done changed from 50 to 100