Force HTTPS and add Strict Transport Security

[konklone]

This is a sequel issue to #4112, where cdnjs started recommending HTTPS URLs over HTTP.

I believe cdnjs should feel comfortable turning on a 301 redirect from HTTP to HTTPS, and adding the Strict-Transport-Security header to its web server, so that even sites that leave their http:// links in place will start fetching resources over https:// and protecting their users.

I've done my best to comprehensively evaluate the effects of forcing a redirect, on both <script> tags and CORS requests, and my results are here:

• Live testing page: http://konklone.io/cdns-to-https/
• Background and results

The short of it is that <script> tags pointing to http:// resources are completely unaffected by a 301 redirect, even as far back as IE6 on Windows XP. It's a safe move.

For CORS requests, there are a couple of client incompatibilities: older Android, and Safari (on iOS and desktop). I don't know what cdnjs' CORS usage is like. If that's not auditable already, then the first step would be to enable some kind of analytics for that.

Even if CORS has some support -- to me, the benefits here seem to outweigh the costs. Strict Transport Security, which works in every browser except for IE (and the next IE will support it), means that CDNs have the ability to tighten up security for visitors to third-party websites using their assets, without the third-party websites having to do anything.

With Strict Transport Security in place, it then becomes trivial to add that domain to the HSTS Preload list managed by Chrome, and used by Firefox and Safari and the next version of IE, so that users won't even have to make one insecure redirect to start making secure cdnjs requests. Though they try to limit subdomains, I'm positive the Chrome team would happily add cdnjs.cloudflare.com to their list, given cdnjs' reach.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/8382701-force-https-and-add-strict-transport-security?utm_campaign=plugin&utm_content=tracker%2F32893&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F32893&utm_medium=issues&utm_source=github).

[PeterDaveHello]

cc @thomasdavis @terinjokes

[ximex]

:+1:

[konklone]

Let me know if there's any more information I can provide here to make the case.

[thomasdavis]

Just tagging @ryankirkman too

[PeterDaveHello]

@terinjokes do we have any schedule on it? Thanks!

[terinjokes]

@ryankirkman Do you want to chat about this? I was backpacking Europe when this issue was created, and I forgot about it.

[ryankirkman]

@terinjokes Sure thing!

[PeterDaveHello]

@terinjokes I remember that cloudflare has this feature for normal websites thay applied cloudflare cdn, hope I did not remember it wrong, and i think this feature cam also prevent http to https redirect so that also speed up the websites still using http or relative protocol to access our website, we have changed the url in website to include https prefix.for a while, so I think we can just turn it on, what do you think @ryankirkman

[PeterDaveHello]

@terinjokes may I ask is there any updates here? Thanks you.

[konklone]

cdnjs still allows HTTP requests for its libraries:

http://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0-beta1/jquery.min.js

And isn't currently setting an HSTS header for the secure versions:

$ curl --head https://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0-beta1/jquery.min.js
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Fri, 18 Mar 2016 15:20:08 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 86071
Connection: keep-alive
Last-Modified: Fri, 15 Jan 2016 08:02:19 GMT
Expires: Wed, 08 Mar 2017 15:20:08 GMT
Cache-Control: public, max-age=30672000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
CF-RAY: 2859aabb4d8523a2-IAD

Fixing both of these would be an easy way for CloudFlare to greatly improve user security for anyone visiting a site using a cdnjs library.

[PeterDaveHello]

In fact, Cloudflare.com is in the HSTS preload list: https://hstspreload.appspot.com/

So the modern browsers will automatically use https for it.

[konklone]

@PeterDaveHello Unfortunately, this isn't the case. Cloudflare's entries are line 4382 to 4834:

The include_subdomains flag is set to false for cloudflare.com, so cdnjs.cloudflare.com is not covered by this HSTS policy. This is also why www.cloudflare.com and api.cloudflare.com appear as separate entries, because they wouldn't otherwise be covered.

[PeterDaveHello]

hmmmm ... okay, I didn't check the entries in detail, thanks @konklone

[terinjokes]

@ryankirkman and I looked at a time slice of CDNJS traffic and the protocols being used. 63% of the traffic was over HTTPS. There was some concerned that forcing HTTPS for the remaining 37% might slow down TTFB. On the other hand, modern browsers can pipeline requests over HTTPS connections, which might improve the overall page performance. Unfortunately, CDNJS is not in a good position to measure this.

In this light, my suggestion on how we could move forward:

1. Enable HSTS for the CDNJS domains, for modern browsers (and to get it added to the preload list)
2. At this time, NOT setting up a redirect from HTTP to HTTPS, to avoid possible negative issues in older browsers.

How does this sound to everyone else?

[konklone]

From my perspective, this would be outstanding progress.

You will need to get the domain added to the preload list by contacting the Chrome team directly, in part because it's a subdomain and in part because you will not be redirecting HTTP->HTTPS automatically. However, I think it highly likely your request would be granted.

[terinjokes]

@konklone Yes, we've got a ticket internally to get the preload list changed to include_subdomains: true that's currently blocked to resolve the CDNJS issue.

[konklone]

It'll be interesting to see what the % of HTTPS traffic is after the domain spends a while in production preload lists (I don't know what the rollout timeline is like for Firefox, Safari, and IE11/Edge).

[terinjokes]

@konklone At least for Chrome, the preload list is rolled out in the standard release pipeline. So for it will likely take a few months to get from committed to in a stable release.

[drewfreyling]

Sounds good to me @terinjokes

[thomasdavis]

Amazing work!

Sounds like it could take a long time for that redirect to take place though, although security is great, it is probably more of an impairment to those not fortunate enough to be on modern browsers.

[konklone]

Sounds like it could take a long time for that redirect to take place though, although security is great, it is probably more of an impairment to those not fortunate enough to be on modern browsers.

I'm not sure I agree, but the practical benefit for browsers that don't support HSTS wouldn't be that great, because the HTTP->HTTPS redirects they'd keep hitting would be just as insecure as downloading the content directly over HTTP.

Where a redirect would help is in more rapidly introducing browsers that do support HSTS (but which don't support preloading) to the HSTS policy for cdnjs.cloudflare.com. I'm not sure how big that population is.

So given the threat model here, I think this is a justifiable call.

But I wouldn't, as a general matter, say that people on older browsers should get faster insecure things over slower secure things. As CloudFlare made clear in their end-of-2015 SHA-1 blog post, many people with older browsers are in more hostile regions of the world, where network attacks could well be more common and, when successful, more devastating.

[terinjokes]

@konklone That's a very good point towards the other side when it comes to the redirect. I think it's very useful to have a discussion about what we should do here.

I think we're all in agreement with moving forward on the HSTS side of things. Please correct me if I'm wrong.

Where a redirect would help is in more rapidly introducing browsers that do support HSTS (but which don't support preloading) to the HSTS policy for cdnjs.cloudflare.com.

The good news is that all it takes is one HTTPS request from any site to get cdnjs.cloudflare.com in the browser's local HSTS cache.

---

Once we roll out the HSTS header, we might want to review the access logs and see how much HTTP traffic we continue to get. Knowing this information may help us shape the next steps with respect to HTTPS redirects.

[konklone]

Once we roll out the HSTS header, we might want to review the access logs and see how much HTTP traffic we continue to get. Knowing this information may help us shape the next steps with respect to HTTPS redirects.

:+1:

I'll also note for anyone watching this thread that @thomasdavis successfully motivated me to start a comparison table tracking asset CDN behavior regarding HTTPS and HSTS.

[drewfreyling]

@thomasdavis anybody who is using <IE11 is already impaired by the fact Microsoft are no longer supporting them. For me this is one of those progressive enhancement type things - as long as it works in older browsers it doesn't have to be the best experience.

[JamesMGreene]

The introduction of HSTS causes issues with hosting ZeroClipboard on CDNJS as its Flash SWF must be served via the same protocol as the page hosting it: https://github.com/zeroclipboard/zeroclipboard/issues/632 👎

[ScottHelme]

I published an article about HSTS usage on CDNs and was pointed to this issue on Twitter. It will be interesting to keep track of what happens.

Here is the article if you're interested: https://scotthel.me/cdn

[terinjokes]

@ScottHelme I saw your post last week, thanks for doing the research. As you can see here, it's been on our minds for a while. I think we'll make an action here soon.

[ScottHelme]

Thanks @terinjokes, that's great to hear.

If there are concerns of the performance impact of a redirect, you could look at simply issuing the HSTS header and/or preloading to start with. This ensures that only HSTS capable clients would be moved over to HTTPS initially and there are multiple opportunities for a particular client to pick this up. The 301 redirect could come at a later stage but I imagine HSTS would catch a large portion of HTTP traffic to start with.

[terinjokes]

@ScottHelme per above, that's what we're planning on doing. Short HSTS headers for a bit to find out what we broke, and still have time to address the issues, then if all goes well, add cloudflare.com to the HSTS preload list.

[terinjokes]

@JamesMGreene I understand the concern, it is part of the reason we haven't yet implemented this.

Can you implement ZeroClipboard leveraging other browser technologies? All modern browsers (the ones that would follow HSTS headers or preload lists) support execCommand('copy'), with the temporary exception of Safari (which is getting support in the next release).

[JamesMGreene]

@terinjokes: Generally speaking, yes, I just never have any free time anymore to get around to updating ZeroClipboard to utilize the HTML5 Clipboard. I feel like an absentee parent or something. :sob:

[drewfreyling]

@terinjokes any movement on this one yet?

[PeterDaveHello]

@drewfreyling since no any other CDN is doing this (force HTTPS) yet, so I'm a little bit afraid that there may be some concerns like old devices may have problem with it. I have no problem with HSTS however.

[konklone]

@drewfreyling since no any other CDN is doing this (force HTTPS) yet, so I'm a little bit afraid that there may be some concerns like old devices may have problem with it. I have no problem with HSTS however.

@PeterDaveHello That's not quite true - as of April 2016 there are a few (smaller) CDNs: https://github.com/konklone/cdns-to-https/issues/10#issuecomment-212696544

But the consensus on thread is to deploy HSTS and not to perform HTTP->HTTPS redirects. The one expressed concern relates to ZeroClipboard having issues due to its dependency on Flash even in modern browsers.

[PeterDaveHello]

@konklone, sorry, no offense, I know the info you provided, in the last comment, actually I mean the larger and older CDN services, the new services usually will not have tons of concerns, but for older and larger ones, there are so many, I think we may still need some time to discuss, confirm the detail, and then we can do the redirection, thank you very much for your comment!

[terinjokes]

Hey all.

We've been operating CDNJS with a short cache time (currently 5 minutes) for a bit now, without hearing about any issues. Unless that changes, our current plan is to increase HSTS to 6 months next week.

[thestinger]

Chromium HSTS preloading recently started requiring a max-age of at least 1 year (https://hstspreload.org/#submission-requirements).

[terinjokes]

@thestinger We'll cross that boat afterwards.

[lgarron]

Resolved? :-)

https://hstspreload.org/?domain=cdnjs.com

[konklone]

The relevant domain here is cdnjs.cloudflare.com, but I think that's covered as well now:

[tongrhj]

FWIW, Safari (desktop) users might be experiencing issues as a result of forcing the redirect to HTTPS.

To replicate, using Safari 11.1, load HTTP site with various <link> permutations:

This successfully loads the HTTPS resource:

<link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.3/css/foundation.min.css" >

These fail to load the HTTPS resource:

<link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.3/css/foundation.min.css" crossorigin="anonymous">

<link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.3/css/foundation.min.css" integrity="sha256-GSio8qamaXapM8Fq9JYdGNTvk/dgs+cMLgPeevOYEx0= sha384-wAweiGTn38CY2DSwAaEffed6iMeflc0FMiuptanbN4J+ib+342gKGpvYRWubPd/+ sha512-QHEb6jOC8SaGTmYmGU19u2FhIfeG+t/hSacIWPpDzOp5yygnthL3JwnilM7LM1dOAbJv62R+/FICfsrKUqv4Gg==">

<link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.3/css/foundation.min.css" integrity="sha256-GSio8qamaXapM8Fq9JYdGNTvk/dgs+cMLgPeevOYEx0= sha384-wAweiGTn38CY2DSwAaEffed6iMeflc0FMiuptanbN4J+ib+342gKGpvYRWubPd/+ sha512-QHEb6jOC8SaGTmYmGU19u2FhIfeG+t/hSacIWPpDzOp5yygnthL3JwnilM7LM1dOAbJv62R+/FICfsrKUqv4Gg==" crossorigin="anonymous">

Error Message:

Cross-origin redirection to https://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.3/css/foundation.min.css denied by Cross-Origin Resource Sharing policy: Origin http://example-domain.com is not allowed by Access-Control-Allow-Origin.

[MattIPv4]

@PeterDaveHello Is there anything here that still needs to be followed up with Cf?

[MattIPv4]

@terinjokes @simon-says Thoughts on this?

[MattIPv4]

No further progress, closing.