Cisco Bug: CSCur11214 - Implement HTTP Strict Transport Security (HSTS) on CRES
Dec 15, 2019
- Cisco Registered Envelope Service
Known Affected Releases
Symptom: User's that bookmark http://res.cisco.com (note http, not https) or just type "res.cisco.com" in their browser's URL bar are susceptible to a man-in-the-middle attack. While that possibility can't be completely removed, the chance of it happening can be greatly reduced by implementing HTTP Strict Transport Security (HSTS, defined in RFC 6797) on CRES. Conditions: Access CRES using an http URL. CRES will redirect the user to an https URL for the rest of the session, but that initial request leaves the user open to a MitM attack.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases