New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 598338 link

Starred by 2 users
Status: Fixed
Owner:
elawrence@chromium.org
Closed: Sep 2016
Cc:
fir...@gmail.com
lgar...@chromium.org
lambroslambrou@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Chrome Remote Desktop Host downloads installer non-securely

Project Member Reported by elawrence@chromium.org, Mar 28 2016 
Version: 49.0.2623.87 (Official Build) beta-m (64-bit)
OS: Windows 10

What steps will reproduce the problem?
Attempt to install the Chrome Remote Desktop host installer for Windows

Expect: HTTPS download
Actual: HTTP navigation

host_installer.js contains:

var HOST_DOWNLOAD_URLS = {
  'Win32': 'http://dl.google.com/dl/edgedl/chrome-remote-desktop/' +
               'chromeremotedesktophost.msi',
  'Win64': 'http://dl.google.com/dl/edgedl/chrome-remote-desktop/' +
               'chromeremotedesktophost.msi',
  'MacIntel': 'https://dl.google.com/chrome-remote-desktop/' +
                  'chromeremotedesktop.dmg',
  'Linux x86_64': 'https://dl.google.com/linux/direct/' +
                      'chrome-remote-desktop_current_amd64.deb',
  'Linux i386': 'https://dl.google.com/linux/direct/' +
                    'chrome-remote-desktop_current_i386.deb',
  'Linux i686': 'https://dl.google.com/linux/direct/' +
                    'chrome-remote-desktop_current_i386.deb'
};

Comment 1 by elawrence@chromium.org, Mar 28 2016 

Hrm. Apparently this is in the current pre-load list, making this rather unimportant. I wasn't getting a HSTS header from the site itself.

  { "name": "dl.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },

Comment 2 by lgar...@chromium.org, Mar 28 2016 

If the site doesn't upgrade to HTTPS and send a dynamic HSTS header, that should still be considered a bug.

Comment 3 by lgar...@chromium.org, Mar 28 2016 

(Also, I don't know if host_installer.js is part of the site in question, but I meant to imply that changing all links to HTTPS is part of proper upgrading.)

Comment 4 by wfh@chromium.org, Mar 29 2016

Components: Services>Chromoting
Labels: Security_Severity-Low Security_Impact-Stable
Owner: elawrence@chromium.org
Status: Assigned (was: Untriaged)
looks like it should be an easy fix -> elawrence@

the file appears to be https://cs.chromium.org/#chromium/src/remoting/webapp/crd/js/host_installer.js&q=HOST_DOWNLOAD_URLS&l=79

Comment 6 by wfh@chromium.org, Apr 20 2016

Cc: lambroslambrou@chromium.org

Comment 7 by mea...@chromium.org, Apr 20 2016 

 Issue 605328  has been merged into this issue.

Comment 8 by mea...@chromium.org, Apr 20 2016 

Can we open up this bug?

Also see bug 507925 for other references to dl.google.com.

Comment 9 by mea...@chromium.org, May 31 2016 

 Issue 615883  has been merged into this issue.

Comment 10 by mea...@chromium.org, May 31 2016 

elawrence: Ping.

Is this a matter of simply fixing the URLs?

Comment 11 by mea...@chromium.org, May 31 2016

Cc: fir...@gmail.com
+firace@gmail.com who also reported this at  bug 615883

Comment 12 by infe...@chromium.org, Jun 10 2016

Cc: lgar...@chromium.org
friendly ping, please fix this.

Comment 13 by elawrence@chromium.org, Sep 16 2016

Status: Started (was: Assigned)
Fixing the MSI downloader's path is straightforward, trivial, and shouldn't have any user-visible side-effects due to HSTS.

Changing the path for Linux packages (#8/Issue #507925) is another matter entirely, and I think it makes sense to leave that in its own issue.
Project Member

Comment 14 by bugdroid1@chromium.org, Sep 17 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bc94e6ac4ddf98fc838684b079d70dae943b55d3

commit bc94e6ac4ddf98fc838684b079d70dae943b55d3
Author: elawrence <elawrence@chromium.org>
Date: Sat Sep 17 01:50:46 2016

Change Chrome Remote Desktop MSI download link to use HTTPS

BUG= 598338 

Review-Url: https://codereview.chromium.org/2347923002
Cr-Commit-Position: refs/heads/master@{#419362}

[modify] https://crrev.com/bc94e6ac4ddf98fc838684b079d70dae943b55d3/remoting/webapp/crd/js/host_installer.js

Comment 15 by elawrence@chromium.org, Sep 19 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam M-55 Type-Bug
Status: Fixed (was: Started)
Fixed in 55.0.2864.0

Comment 16 by jamiewa...@chromium.org, Nov 18 2016 

 Issue 666913  has been merged into this issue.

Sign in to add a comment