HTTP Strict Transport Security not enabled on Horizon Dashboard
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Versions: 2012.2
The Horizon Dashboard does not enable HTTP Strict Transport
Security. As a result, browsers can be tricked into making HTTP
connections even if all connections to Horizon should be
protected via TLS. Therefore, web sessions are susceptible to
MitM attacks such as cookie/session stealing.
HTTP Strict Transport Security (HSTS) is a mechanism through which web
hosts can instruct browsers to only connect over SSL/TLS for future
connections. It helps prevent Man-in-the-Middle (MitM) attacks that
attempt to trick victims' browsers into dropping out of SSL/TLS. HSTS
can also help mitigate other weaknesses such as web applications which
omit the secure flag when setting session cookies. HSTS is currently
implemented in Firefox and Chrome, but will ideally be included in
other popular browsers as well.
For more information see
https:/
Changed in ossa: | |
status: | New → Incomplete |
I'm inclined to say this is at least public... it seems to me that there's no reasonable expectation by the user that Horizon implements HSTS unless it claims to do so in its documentation. I also think this is more appropriately approached as a security hardening bug rather than a vulnerability in the application.