New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 13 users
Status: Archived
Owner:
Closed: Nov 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: ----



Sign in to add a comment
HSTS pins and HSTS metadata stored even when cookies are rejected
Project Member Reported by rsleevi@chromium.org, Jul 9 2013 Back to list
It appears that Chrome will store HSTS (Strict Transport Security) pins for third-party domains when in "block third party cookies and site data" mode, in addition to other scenarios where cookies will be rejected such as "block any sites from storing data" or blocking a specific site from storing data. In contrast, private browsing does delete HSTS pins on exit and deleting all site data for a domain will clear them.

The ability to set HSTS pins could potentially be used for tracking through the use of subdomains-a site can set up N subdomains https://1.example.com, https://2.example.com, etc. and then direct a user to a unique subset of these domains which will set HSTS pins with includeSubdomains set. The site can then direct users to load a resources from http://test.x.example.com for x in [1, N] and the loads will fail for domains which had HSTS pins set, recovering the a unique fingerprint from a set of 2^N possibilities...
 
Cc: palmer@chromium.org
Status: Untriaged
Flipping back to Untriaged.

On the one hand, we could look at tracking this through the privacy mode setting that mef@ added.
On the other hand, noting HSTS pins for such opportunistic connections can improve discoverability of pins.

However, unlike other aspects of privacy mode (such as SSL session cache shards), which are limited to the browser session, pins are persisted in the profile, and thus may serve as a more stable identifier.

While the idea of setting up '1.example.com' and '2.example.com' (and so forth) may sound convoluted, it's entirely possible to do with name-constrained subordinate CA certificates, which may be seeing greater adoption due to changes in Mozilla's CA policy.
Comment 2 by vabr@chromium.org, Jul 10 2013
Labels: -Privacy Cr-Privacy
Comment 3 by palmer@chromium.org, Jul 10 2013
Cc: cevans@chromium.org jcb@google.com
I have a hard time believing that the implicit-tracking threat model is solvable. I suppose we can whack a few moles here and there, and this one might be relatively easy to whack, but...
Comment 4 by jcb@google.com, Jul 10 2013
I agree with palmer that this problem is an arms race and there are lots of other tracking means out there, but I think it's important to keep working at it. I think a policy of "only remember persistent HSTS pins for a domain if cookies will also be persisted" is very sensible and should be reasonable to implement.

Also I don't think you really need a name-constrained CA to do this attack as sleevi suggests. It's feasible to get 32 subdomain CAs issued from Startcom or another low-cost/no-cost CA and that's all you need-there's no requirement to issue new ones on demand.
Comment 5 by mef@chromium.org, Jul 11 2013
I agree and I'll be happy to implement this.
Comment 6 by palmer@chromium.org, Jul 11 2013
mef: Want to assign it to yourself then? I'll review your CLs if you like.
Comment 7 by mef@chromium.org, Jul 11 2013
Status: Assigned
Sure. Assigning to myself.
Comment 8 by mef@chromium.org, Jul 15 2013
Owner: mef@chromium.org
Actually assigning to myself.
Comment 9 by palmer@chromium.org, Jul 16 2013
Summary: HSTS pins and HSTS metadata stored even when cookies are rejected (was: HSTS pins stored even when cookies are rejected)
I think the bug applies to HSTS as well as to HPKP. See e.g. https://trac.torproject.org/projects/tor/ticket/6458

I'm sorry, I didn't realize this bug wasn't written in such a way as to make that clear.
Comment 10 by mef@chromium.org, Jul 16 2013
Status: Started
Project Member Comment 11 by bugdroid1@chromium.org, Sep 20 2013
------------------------------------------------------------------------
r224269 | mef@chromium.org | 2013-09-20T03:33:39.781551Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_http_job.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_security_headers_unittest.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/net/transport_security_persister_unittest.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_test_util.h?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_unittest.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/websockets/websocket_job.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/websockets/websocket_job.h?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream_job.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_unittest.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame/test/net/fake_external_tab.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state.h?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream.cc?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream.h?r1=224269&r2=224268&pathrev=224269
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/net_internals/net_internals_ui.cc?r1=224269&r2=224268&pathrev=224269

Don't persist HPKP if PrivacyMode is enabled.

BUG= 258667 

Review URL: https://chromiumcodereview.appspot.com/19269012
------------------------------------------------------------------------
Project Member Comment 12 by bugdroid1@chromium.org, Sep 20 2013
------------------------------------------------------------------------
r224275 | tkent@chromium.org | 2013-09-20T03:54:03.340572Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_unittest.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame/test/net/fake_external_tab.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state.h?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream.h?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/net_internals/net_internals_ui.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_http_job.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_security_headers_unittest.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/net/transport_security_persister_unittest.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_test_util.h?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_unittest.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/websockets/websocket_job.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/websockets/websocket_job.h?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc?r1=224275&r2=224274&pathrev=224275
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket_stream/socket_stream_job.cc?r1=224275&r2=224274&pathrev=224275

Revert 224269 "Don't persist HPKP if PrivacyMode is enabled."

It broke Google Chrome ChromeOS bot.
http://build.chromium.org/p/chromium.chrome/builders/Google%20Chrome%20ChromeOS/builds/58548/steps/compile/logs/stdio#error1
FAILED: g++ ... -c ../../net/socket/ssl_client_socket_nss.cc -o obj/net/socket/net.ssl_client_socket_nss.o
../../net/socket/ssl_client_socket_nss.cc: In member function 'int net::SSLClientSocketNSS::DoVerifyCertComplete(int)':
../../net/socket/ssl_client_socket_nss.cc:3445:64:error: no matching function for call to 'net::TransportSecurityState::GetDomainState(const string&, bool&, net::TransportSecurityState::DomainState*)'
../../net/socket/ssl_client_socket_nss.cc:3445:64: note: candidate is:
../../net/http/transport_security_state.h:212:8: note: bool net::TransportSecurityState::GetDomainState(const string&, bool, bool, net::TransportSecurityState::DomainState*)
../../net/http/transport_security_state.h:212:8: note:   candidate expects 4 arguments, 3 provided

> Don't persist HPKP if PrivacyMode is enabled.
> 
> BUG= 258667 
> 
> Review URL: https://chromiumcodereview.appspot.com/19269012

TBR=mef@chromium.org

Review URL: https://codereview.chromium.org/24251011
------------------------------------------------------------------------
Comment 13 by mef@chromium.org, Nov 17 2015
Status: Archived
Based on agl's comment here https://chromiumcodereview.appspot.com/19269012#msg46 this issue has been addressed differently, so I'm archiving it.

Sign in to add a comment