W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

HSTS preload flaw

From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 7 Feb 2020 17:03:18 -0800
Message-ID: <CAChr6Syfo-XpN0i4O0==G29KJ22oCvq+X_nbjgq8aAhtCR7BzA@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi,

I reported a bug that found HSTS not present for .app, .dev and several
other TLDs in Safari on all operating systems, as well as Chrome, Firefox,
and Edge on iOS.

https://bugs.webkit.org/show_bug.cgi?id=202925 [perhaps still private]

Google made the issue public about a month ago without asking me:
https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44

A commenter on the Chromium bug maintains that this issue is not a bug.
However, this issue was responsibly reported, and fixed in iOS 13.3 and
contemporaneous releases on other operating systems:

https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes

It wasn't exactly a clever exploit (I noticed a .app domain that shouldn't
have loaded over http), but perhaps there should be more careful monitoring
of HSTS preload lists. At least 600k domains were impacted.

thanks,
Rob
Received on Saturday, 8 February 2020 01:03:51 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 8 February 2020 01:03:56 UTC