Guest

Preview Tool

Cisco Bug: CSCur11214 - Implement HTTP Strict Transport Security (HSTS) on CRES

Last Modified

Dec 15, 2019

Products (1)

  • Cisco Registered Envelope Service

Known Affected Releases

4.2.0-381

Description (partial)

Symptom:
User's that bookmark http://res.cisco.com (note http, not https) or just type "res.cisco.com" in their browser's URL bar are susceptible to a man-in-the-middle attack. While that possibility can't be completely removed, the chance of it happening can be greatly reduced by implementing HTTP Strict Transport Security (HSTS, defined in RFC 6797) on CRES.

Conditions:
Access CRES using an http URL. CRES will redirect the user to an https URL for the rest of the session, but that initial request leaves the user open to a MitM attack.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.