New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 610306 link

Starred by 1 user
Status: Fixed
Owner:
lgar...@chromium.org
Last visit > 30 days ago
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Remove end.io from HSTS preload list

Reported by jabbs...@gmail.com, May 9 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36

Steps to reproduce the problem:
1. access the domain http://end.io
2. the page is automatically redirected to https
3. this makes the page doesn't load

What is the expected behavior?
go to the page http://end.io not https://end.io

What went wrong?
Someone (not me) has submitted https://end.io to the HSTS list. Please can you remove it as I am the webmaster and it is breaking the site.

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=6145

Did this work before? N/A 

Chrome version: 50.0.2661.86  Channel: stable
OS Version: OS X 10.11.4
Flash Version: Shockwave Flash 21.0 r0

Can you not change it so people need proof of ownership before submitting the domain to the list?

Comment 1 by jabbs...@gmail.com, May 9 2016 

Added proof of ownership: https://toolbox.googleapps.com/apps/dig/#TXT/end.io

Comment 2 by f...@chromium.org, May 9 2016

Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: lgar...@chromium.org
Status: Assigned (was: Unconfirmed)
Sorry about that! Lucas can help you out.

FYI, a website can only be submitted to the list if your website is sending the STS header. You shouldn't serve the STS header if you don't want HSTS turned on.

Comment 3 Deleted

Comment 4 by jabbs...@gmail.com, May 9 2016 

OK thanks, I checked and it's not serving the HSTS header. Do you think there could be a bug in the submission process not checking headers correctly as I see a few other sites have reported the same issue?

☁  ~  curl -s -D - http://end.io -o /dev/null
HTTP/1.1 200 OK
Server: nginx/1.9.14
Date: Mon, 09 May 2016 15:07:14 GMT
Content-Type: text/html
Content-Length: 19548
Last-Modified: Sat, 19 Mar 2016 18:38:06 GMT
Connection: keep-alive
ETag: "56ed9c8e-4c5c"
Accept-Ranges: bytes

Comment 5 by lgar...@chromium.org, May 9 2016 

Sites often claim to be submitted without their knowledge/intention, but upon further investigation it has always turned out that the site was sending an HSTS header asking to be preloaded. [1] Could you check old versions of your website code to verify if that happened, and how? I'm trying to learn more about what causes such accidents.

In any case, the TXT record is sufficient proof of ownership, and I'll remove end.io from the preload list for Chrome 52. [2]
I will also try to merge the removal to Chrome 51, but I can't make any guarantees about that.


[1] https://hstspreload.appspot.com/
[2] See https://www.chromium.org/developers/calendar for release dates.

Sign in to add a comment