mahara-contributors team mailing list archive

Thread
Date

[Bug 1734767] Re: Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1734767@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jan 2018 08:04:24 -0000
Reply-to: Bug 1734767 <1734767@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17455

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1734767

Title:
  Mahara needing the HTTP Strict Transport Security (HSTS) header when
  site is https

Status in Mahara:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Released
Status in Mahara 17.04 series:
  Fix Released
Status in Mahara 17.10 series:
  Fix Released
Status in Mahara 18.04 series:
  Fix Committed

Bug description:
  If a website accepts a connection through HTTP and redirects to HTTPS,
  visitors may initially communicate with the non-encrypted version of
  the site before being redirected, if, for example, the visitor types
  http://www.foo.com/ or even just foo.com. This creates an opportunity
  for a man-in-the-middle attack. The redirect could be exploited to
  direct visitors to a malicious site instead of the secure version of
  the original site.

  The HTTP Strict Transport Security header informs the browser that it
  should never load a site using HTTP and should automatically convert
  all attempts to access the site using HTTP to HTTPS requests instead.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1734767/+subscriptions