#3309 [RFE] Use HTTP Strict Transport Security to thwart man-in-the-middle attacks against WebUI
Closed: wontfix 5 years ago Opened 11 years ago by pspacek.

This HTTP extension enables a web browser to remember and enforce TLS/HTTPS usage for each connection to specified server. As a result attacker is not able to do man-in-the-middle (HTTP downgrade attack).

Implementation details: While HSTS consists from single "Strict-Transport-Security" HTTP header.

It is supported at least in Firefox and Chrome: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Support

See RFC 6797.


FreeIPA server still requires http connection for install Firefox Kerberos Configuration extension.

The behaviour is considered a feature:

More info about the FF krb extension: http://www.redhat.com/archives/freeipa-devel/2012-October/msg00038.html

This would also require a separate domain for the CRL and web UI.

Metadata Update from @pspacek:
- Issue assigned to pvoborni
- Issue set to the milestone: Ticket Backlog

7 years ago

Metadata Update from @pvomacka:
- Issue close_status updated to: None
- Issue tagged with: webui

6 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata