Security: Preload HTST domains is not working against SSLStrip
Reported by
n3v3r...@gmail.com,
Jun 3 2016
|
||
Issue descriptionPlease see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs VULNERABILITY DETAILS Preload HTST domains is not working against SSLStrip VERSION Chrome Version: 51.0.2704.79 (64-bit) stable Operating System: [OSX EI Capitan 10.11.4] REPRODUCTION CASE Use Moxie's SSLStrip tool, you can browse the www.google.co.jp in HTTP protocol. https://moxie.org/software/sslstrip/ I noticed that google.co.jp is preloaded by querying chrome://net-internals/#hsts and the "static_sts_include_subdomains" is set to "true". However, this preloaded item seems does not working against SSLStrip. I can still view the http page of www.google.co.jp. But If I add www.google.co.jp manually (to dynamic_sts_domain), then it will prevent the SSLStrip and stop me from browsing google. Besides, google's server is not sending any HSTS header. In the attached file, you can see that the url address is in HTTP, not HTTPS.
,
Jun 3 2016
chrome://net-internals#hsts can be a bit hard to read, but google.co.jp is static_upgrade_mode: OPPORTUNISTIC, not static_upgrade_mode: STRICT.
There is lots of work to get the google.{ccTLD} domains ready for preloaded, but we're not there yet.
,
Jun 3 2016
|
||
►
Sign in to add a comment |
||
Comment 1 by f...@chromium.org
, Jun 3 2016Owner: lgar...@chromium.org
Status: WontFix (was: Unconfirmed)