Use HSTS for QNetworkAccessManager
Open, NormalPublic

Description

The HTTP Strict Transport Security (HSTS) header from server tells the client to use only to request via HTTPS for a specific amount of time.

  • you accces a website via TLS and you get a valid certificate an a HSTS header in return. The HSTS header tells you how long you should use only use HTTPS
  • now you connect to malicious network and request the website again. you get a unencrypted response
  • without HSTS you acces this websiste unencrypted
  • with HSTS you detect the policy violation and can communicate, that something fishy is going on)

And it is quite easy to enable it, if using QNetworkAccessManager enable enableStrictTransportSecurityStore and setStrictTransportSecurityEnabled

If HSTS store is used, than fingerprinting across application is in principal possible. (Privacy Issues) Thats why my recommendation would be, enable HSTS is a no brainer, but think twice if the Pricavy issues may be valid in your usecase. If you want to enable HSTS store you have to enable it before enable HSTS checking codewise.

It looks like, that only QtWebKit is using this feature at the moment. Here the search in all source packages in Debian:
https://codesearch.debian.net/search?q=setStrictTransportSecurityEnabled&perpkg=1

knauss created this task.Mar 25 2019, 6:30 PM
knauss moved this task from incoming to Communication on the KDE Privacy Goal board.
knauss triaged this task as Normal priority.

[spam comment removed by sysadmin]