Lack of `includeSubDomains` directive in HSTS header allows man-in-the-middle attacks

[Shnatsel]

Current Behavior

crates.io does serve the Strict-Transport-Security header, with the value set to max-age=31536000

This means that connections to "crates.io" will almost always (except the first-ever connection) go over HTTPS, but connections to "www.crates.io" or any other subdomains will first issue an HTTP request, and the server will then reply with a 301 redirection to HTTPS. Crucially, the redirection occurs over unauthenticated HTTP.

A man in the middle can hijack such a connection by dropping the redirection packet from the server, which would keep the client on unencrypted HTTP. This allows the attacker to read or alter any data in transit. This attack is known as SSLstrip.
In the case of crates.io this attack can be escalated into a remote code execution on the client as follows:

1. Eve uploads functionally identical versions of popular crates but with malware added to build.rs under names similar to the original names of the crates.
2. Eve tricks Alice into visiting www.crates.io, an entirely legitimate domain name.
3. Eve Executes SSLstrip attack on Alice, and replaces any legitimate crates with their malicious counterparts in the search results on the wire.

This way if Alice decides to add the crate to her Cargo.toml, such as rustoctal = "0.11.0" (a decoy for the hypothetical legitimate rust_octal crate), the malicious crate will be downloaded and the malware in build.rs will be executed when the code is compiled.

Expected Behavior

The Strict-Transport-Security header should also contain the includeSubDomains directive, which instructs the web browser to always connect to crates.io and all subdomains over HTTPS only, preventing man-in-the-middle attacks.

Steps To Reproduce

Run curl -vv --location http://www.crates.io shows the redirect chain and HTTP headers.

Environment

No response

Anything else?

This issue has been reported to the Security Response WG in February 2021, but has not been acted upon to this day.

[Turbo87]

this sounds like a good idea to me. let me talk to the rest of the team to figure out if there were any reasons for not doing this.

[jdno]

CloudFront now overwrites the strict-transport-security header that it receives from the server for crates.io and adds the includeSubdomains directive.

strict-transport-security: max-age=31536000; includeSubDomains

For future reference, rust-lang/simpleinfra#136 adds the configuration and rust-lang/simpleinfra#141 enables it in production.

[Shnatsel]

I can confirm this is deployed in production. I'm going to go ahead and close the issue.

Preloading HSTS is a future improvement opportunity to also secure the first-ever request to crates.io, but that's less critical and should be tracked in a separate issue.