W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

HSTS preload flaw

From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 7 Feb 2020 17:03:18 -0800
Message-ID: <CAChr6Syfo-XpN0i4O0==G29KJ22oCvq+X_nbjgq8aAhtCR7BzA@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

I reported a bug that found HSTS not present for .app, .dev and several
other TLDs in Safari on all operating systems, as well as Chrome, Firefox,
and Edge on iOS.

https://bugs.webkit.org/show_bug.cgi?id=202925 [perhaps still private]

Google made the issue public about a month ago without asking me:

A commenter on the Chromium bug maintains that this issue is not a bug.
However, this issue was responsibly reported, and fixed in iOS 13.3 and
contemporaneous releases on other operating systems:


It wasn't exactly a clever exploit (I noticed a .app domain that shouldn't
have loaded over http), but perhaps there should be more careful monitoring
of HSTS preload lists. At least 600k domains were impacted.

Received on Saturday, 8 February 2020 01:03:51 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 8 February 2020 01:03:56 UTC