- From: Austin Wright <aaa@bzfx.net>
- Date: Sun, 9 Feb 2020 01:05:49 -0700
- To: Rob Sayre <sayrer@gmail.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <A0F7BEB8-C236-429B-94F7-C2F748FDD70C@bzfx.net>
I don’t think you can call this a bug. As far as I know, this behavior is not standardized as any part of HTTP, but is described and centrally managed by Chromium project. That is, it’s a feature of Google Chrome and nobody else is under any obligation to implement it. And even if it was, I don’t really see how you can say “At least 600k domains were impacted”. What would an attack look like? You have to have a user-agent willing to send a sensitive payload in plaintext, and a server with port 80 open to receive it. Austin Wright. > On Feb 7, 2020, at 18:03, Rob Sayre <sayrer@gmail.com> wrote: > > Hi, > > I reported a bug that found HSTS not present for .app, .dev and several other TLDs in Safari on all operating systems, as well as Chrome, Firefox, and Edge on iOS. > > https://bugs.webkit.org/show_bug.cgi?id=202925 <https://bugs.webkit.org/show_bug.cgi?id=202925> [perhaps still private] > > Google made the issue public about a month ago without asking me: > https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44 <https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44> > > A commenter on the Chromium bug maintains that this issue is not a bug. However, this issue was responsibly reported, and fixed in iOS 13.3 and contemporaneous releases on other operating systems: > > https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes <https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes> > > It wasn't exactly a clever exploit (I noticed a .app domain that shouldn't have loaded over http), but perhaps there should be more careful monitoring of HSTS preload lists. At least 600k domains were impacted. > > thanks, > Rob >
Received on Sunday, 9 February 2020 08:06:33 UTC