From b063537515f67e167024c91c365014ec93266dd1 Mon Sep 17 00:00:00 2001 From: Anand Bhat Date: Fri, 31 Aug 2018 23:51:41 +1000 Subject: [PATCH 1/5] Use https links Use https links for caniuse.com --- pages/hsts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/hsts.md b/pages/hsts.md index 393c671..c65689b 100644 --- a/pages/hsts.md +++ b/pages/hsts.md @@ -6,7 +6,7 @@ permalink: /hsts/ description: "An overview of HTTP Strict Transport Security (HSTS), a lightweight standard that prevents privacy leaks and downgrade attacks." --- -**[HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)** (HSTS) is a simple and [widely supported](http://caniuse.com/#feat=stricttransportsecurity) standard to protect visitors by ensuring that their browsers _always_ connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from `http://` to `https://` URLs. +**[HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)** (HSTS) is a simple and [widely supported](https://caniuse.com/#feat=stricttransportsecurity) standard to protect visitors by ensuring that their browsers _always_ connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from `http://` to `https://` URLs. When a browser knows that a domain has enabled HSTS, it does two things: @@ -171,7 +171,7 @@ Here are some links to do that with other web servers: ## Resources -* [Browser support for HSTS](http://caniuse.com/#feat=stricttransportsecurity) +* [Browser support for HSTS](https://caniuse.com/#feat=stricttransportsecurity) * [HSTS web developer documentation](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) maintained by the Mozilla community * Chrome's [HSTS preload list](https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json), and their [submission form](https://hstspreload.org). * ["Upgrading HTTPS in Mid-Air"](https://www.internetsociety.org/sites/default/files/01_4_0.pdf) - A paper analyzing the current detailed practice of HSTS and [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), as of November 2014. From bae67776200ec5e1d8e6cc7bcacbab31f3b9123b Mon Sep 17 00:00:00 2001 From: Anand Bhat Date: Fri, 31 Aug 2018 23:54:27 +1000 Subject: [PATCH 2/5] Use https link Use https link for nvlpubs.nist.gov --- pages/certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/certificates.md b/pages/certificates.md index f0195d5..ca66ea2 100644 --- a/pages/certificates.md +++ b/pages/certificates.md @@ -43,7 +43,7 @@ In general: * Agencies **[should immediately replace certificates signed with SHA-1](/technical-guidelines/#signature-algorithms)**, as browsers are quickly moving to remove support for the SHA-1 algorithm. Commercial CAs are forbidden from issuing them entirely as of January 1, 2016. -As a general matter, certificates from any commercial CA will meet the few [NIST technical requirements](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) that relate to certificates. +As a general matter, certificates from any commercial CA will meet the few [NIST technical requirements](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) that relate to certificates. ## What rules and oversight are certificate authorities subject to? From 99a2214687bcd55907d15181903979a2c6b5dcf9 Mon Sep 17 00:00:00 2001 From: Anand Bhat Date: Fri, 31 Aug 2018 23:57:36 +1000 Subject: [PATCH 3/5] Fix dead link --- pages/guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/guide.md b/pages/guide.md index 078ef4a..b24aac3 100644 --- a/pages/guide.md +++ b/pages/guide.md @@ -97,7 +97,7 @@ HTTP redirects must use a response code in the 300's that can reliably cause HTT The use of error codes in the 400's or 500's **will not** satisfy this requirement. -Note that while connections to port 80 are insecure, even for redirects, the use of [HSTS](/hsts/]) will instruct supporting HTTP clients to automatically redirect themselves from port 80 to port 443, without attempting to connect to port 80 over the network. +Note that while connections to port 80 are insecure, even for redirects, the use of [HSTS](/hsts/) will instruct supporting HTTP clients to automatically redirect themselves from port 80 to port 443, without attempting to connect to port 80 over the network. HSTS mitigates the security impact of connections over port 80, while allowing agencies the flexibility to continue redirecting legacy clients or clients which have not yet received an HSTS policy for the target domain. From 2c2c97e311aca52d9f13a33cdf49fd097d082d7f Mon Sep 17 00:00:00 2001 From: Anand Bhat Date: Sat, 1 Sep 2018 00:03:12 +1000 Subject: [PATCH 4/5] Use https links Use https links for nvlpubs.nist.gov and social.technet.microsoft.com. Remove redirect for social.technet.microsoft.com --- pages/technical.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/technical.md b/pages/technical.md index c0408e6..6c0a1ad 100644 --- a/pages/technical.md +++ b/pages/technical.md @@ -25,7 +25,7 @@ SSL and TLS perform the same function, and TLS is a direct successor and replace The major versions of SSL/TLS in use today are: * **SSLv3:** [Released in 1996.](https://tools.ietf.org/html/rfc6101) **Considered to be insecure** after the [POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf) attack was published in 2014. Turning off SSLv3 effectively removes support for Internet Explorer 6. -* **TLSv1.0:** - [Released in 1999.](https://tools.ietf.org/html/rfc2246) Used widely today to support [some older clients](https://www.ssllabs.com/ssltest/clients.html), like IE8 and Android 4.3 and below. [NIST Special Publication 800-52](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) disallows TLSv1.0 for government-facing systems. +* **TLSv1.0:** - [Released in 1999.](https://tools.ietf.org/html/rfc2246) Used widely today to support [some older clients](https://www.ssllabs.com/ssltest/clients.html), like IE8 and Android 4.3 and below. [NIST Special Publication 800-52](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) disallows TLSv1.0 for government-facing systems. * **TLSv1.1:** - [Released in 2006.](https://tools.ietf.org/html/rfc4346) An improvement over TLSv1.0, but was quickly superseded by TLSv1.2. * **TLSv1.2:** - [Released in 2008.](https://tools.ietf.org/html/rfc5246) This is the strongest form of TLS today, and is widely supported by modern browsers. @@ -35,7 +35,7 @@ It is possible for an attacker to interfere with the negotiation process and att A downgrade attack can be prevented by using **[TLS Fallback SCSV](https://tools.ietf.org/html/rfc7507)**, a TLS extension proposed in 2014 and which is enabled by default in newer versions of OpenSSL. -For more details of NIST recommendations, read [NIST Special Publication 800-52](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf). +For more details of NIST recommendations, read [NIST Special Publication 800-52](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf). * **[The Pulse HTTPS dashboard for .gov domains](https://pulse.cio.gov/https/domains/)** will note when a domain still offers insecure SSLv3, or when a domain does not yet offer TLSv1.2. * **[https.cio.gov is configured](https://www.ssllabs.com/ssltest/analyze.html?d=https.cio.gov)** to support TLSv1.0, TLSv1.1, and TLSv1.2, and has TLS Fallback SCSV enabled. @@ -61,9 +61,9 @@ The HTTPS/TLS security model uses "certificates" to guarantee authenticity. Thes The certificate authority's trusted root certificate (which is included with your OS or browser) is used to sign an intermediary certificate, which is used to sign your website's certificate. There may be more than one intermediary certificate in the chain. A part of the signature process is computing a "hash" of the data included in the certificate. This can be done using a standard hashing algorithm, such as [SHA-1](https://en.wikipedia.org/wiki/SHA-1) or [SHA-2](https://en.wikipedia.org/wiki/SHA-2). -SHA-1 has been shown to have serious weaknesses, and so browser and OS providers like [Google](https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html), [Microsoft](http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx), and [Mozilla](https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/) have announced timelines to deprecate SHA-1 in favor of the SHA-2 family of algorithms. +SHA-1 has been shown to have serious weaknesses, and so browser and OS providers like [Google](https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html), [Microsoft](https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx), and [Mozilla](https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/) have announced timelines to deprecate SHA-1 in favor of the SHA-2 family of algorithms. -[NIST has disallowed SHA-1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) for digital signature generation after 2013. +[NIST has disallowed SHA-1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf) for digital signature generation after 2013. As of January 2016, commercial CAs are forbidden by most root programs from issuing a SHA-1 certificate. As such, obtaining a publicly trusted SHA-1 certificate is no longer feasible. In addition, site owners with an existing SHA-1 certificate should be aware that many browsers and OSes will be disabling SHA-1 support in early 2017. From 8ebfdaeab8abf205fa9858ab85c90d411aa1e836 Mon Sep 17 00:00:00 2001 From: Anand Bhat Date: Sat, 1 Sep 2018 00:09:33 +1000 Subject: [PATCH 5/5] Replace dead link --- pages/hsts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hsts.md b/pages/hsts.md index c65689b..009d4e1 100644 --- a/pages/hsts.md +++ b/pages/hsts.md @@ -174,5 +174,5 @@ Here are some links to do that with other web servers: * [Browser support for HSTS](https://caniuse.com/#feat=stricttransportsecurity) * [HSTS web developer documentation](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) maintained by the Mozilla community * Chrome's [HSTS preload list](https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json), and their [submission form](https://hstspreload.org). -* ["Upgrading HTTPS in Mid-Air"](https://www.internetsociety.org/sites/default/files/01_4_0.pdf) - A paper analyzing the current detailed practice of HSTS and [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), as of November 2014. +* ["Upgrading HTTPS in Mid-Air"](https://www.cs.princeton.edu/research/techreps/TR-986-15) - A paper analyzing the current detailed practice of HSTS and [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), as of November 2014. * ["The first .gov domains hardcoded into your browser as all-HTTPS"](https://18f.gsa.gov/2015/02/09/the-first-gov-domains-hardcoded-into-your-browser-as-all-https/), by 18F.