W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: HSTS preload flaw

From: Austin Wright <aaa@bzfx.net>
Date: Sun, 9 Feb 2020 01:05:49 -0700
Message-Id: <A0F7BEB8-C236-429B-94F7-C2F748FDD70C@bzfx.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Rob Sayre <sayrer@gmail.com>
I don’t think you can call this a bug. As far as I know, this behavior is not standardized as any part of HTTP, but is described and centrally managed by Chromium project. That is, it’s a feature of Google Chrome and nobody else is under any obligation to implement it.

And even if it was, I don’t really see how you can say “At least 600k domains were impacted”. What would an attack look like? You have to have a user-agent willing to send a sensitive payload in plaintext, and a server with port 80 open to receive it.

Austin Wright.

> On Feb 7, 2020, at 18:03, Rob Sayre <sayrer@gmail.com> wrote:
> 
> Hi,
> 
> I reported a bug that found HSTS not present for .app, .dev and several other TLDs in Safari on all operating systems, as well as Chrome, Firefox, and Edge on iOS.
> 
> https://bugs.webkit.org/show_bug.cgi?id=202925 <https://bugs.webkit.org/show_bug.cgi?id=202925> [perhaps still private]
> 
> Google made the issue public about a month ago without asking me:
> https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44 <https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44>
> 
> A commenter on the Chromium bug maintains that this issue is not a bug. However, this issue was responsibly reported, and fixed in iOS 13.3 and contemporaneous releases on other operating systems:
> 
> https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes <https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes>
> 
> It wasn't exactly a clever exploit (I noticed a .app domain that shouldn't have loaded over http), but perhaps there should be more careful monitoring of HSTS preload lists. At least 600k domains were impacted.
> 
> thanks,
> Rob
> 


Received on Sunday, 9 February 2020 08:06:33 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 9 February 2020 08:06:34 UTC