Re: HSTS preload flaw from Rob Sayre on 2020-02-10 (ietf-http-wg@w3.org from January to March 2020)

From: Rob Sayre <sayrer@gmail.com>
Date: Sun, 9 Feb 2020 22:58:08 -0800
To: Austin William Wright <aaa@bzfx.net>
Cc: Eric Mill <eric@konklone.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAChr6Sz6ckL4u_4X=sTmt27E2mswTjjq=GcqSsRuFOEzn_iM-Q@mail.gmail.com>

On Sun, Feb 9, 2020 at 10:28 PM Austin William Wright <aaa@bzfx.net> wrote:

>
> It seems to me if an attacker can get a victim to compose a sensitive
> request, but direct that request to an attacker-controlled scheme and port,
> why not an attacker-controlled host too, or any host not on an HSTS Preload
> list?
>

That's a fair question. Intercepting a single unencrypted innocuous request
is a viable way to get the victim to compose requests to
attacker-controlled servers over TLS. These hosts might not be legitimate,
but users won't always notice a discrepancy in domain names. Here is a toy
attack:

Serve a search engine UI, but pop up an "Accept Cookies" UI that is
seemingly intended to comply with privacy regulations. In response to a
click on any choice presented, redirect to an attack-controlled domain
(that might be served over TLS, with a misleading domain name).

thanks,
Rob

Received on Monday, 10 February 2020 06:58:23 UTC