HSTS Certificate probleme with Captive Portals
Reported by
flavienj...@gmail.com,
Aug 22 2016
|
|||
Issue descriptionDevice name: Samsung Galaxy S5 ( Version 5.0 ) & Galaxy Note 3 ( Version 4.4.2 ) From "Settings > About Chrome" Application version: 52.0.2743.98 OS: Android URLs (if applicable): https://hautdebitmobile.orange.fr Behavior in Android Browser (if applicable): At each connection to a wifi network with a captive portal, we have a HSTS security warning. We try to connect to different provider and each time we get it. But if we use the samsung built-in browser, no problem. We get this since the last update of chrome. Steps to reproduce: (1) Connect to wifi network with captive portal (2) The system answer "302 Redirect" (3) Android open a chrome window and we get the HSTS Warning Please see the screencap in attachement.
,
Aug 23 2016
This is exactly how HSTS is supposed to work. Marking this WontFix for the problem, although tagging Security>UX in case they have any follow-up bugs they want to do w/r/t captive portals, beyond the existing work.
,
Aug 23 2016
And how can you explain that it was working before the 5th august upgrade. And captive portals works well with galaxy S7 edge ( Android 6.0 ) and galaxy A5 ( android 5.1 ).
,
Aug 23 2016
Google turned on HSTS for www.google.com
,
Aug 23 2016
Ok but why does it work with the same version of chrome but on différent version of android ? If Google turn on hsts, its applicable for all.
,
Aug 23 2016
Is the issue that you are seeing a warning on one browser, but getting a captive portal login page on the other? Or is the problem that you cannot click through the error?
,
Aug 23 2016
I ll try to be more clear : I have a galaxy S5, and before the last update I haven't any problem with captive portal ( as you can see in the 3 screenshots, i tried with differents providers ). With that one, i can't connect to hotspots when chrome is my default browser, but if i change and let the default samsung browser, no problem, i can connect my phone to hotspots. I also have a Galaxy S7, and with the same release of chrome, but with a different version of android, no certificats warning. So i decided to ask my friend who own a A5, and he doesn't get the certificate warning ( also with chrome, same release, but a different release of android ) And to finish, one of my customer tried with his Note 3, and get the same problem that i have on my S5, and it's okay if he let the default browser. So it's a new problem between chrome and android, on the new release, and it affect android phones with <= 5.0 version.
,
Aug 23 2016
You *should* get a certificate error, on all browsers. The error is telling you that your phone is trying to connect to https://www.google.com but getting back a cert for the captive portal. This should not work in any browser. I do not know why it is working in some browsers. As far as I see it, the main issue here is that our captive portal detection is terrible. :/ In the meantime, you should be able to go to http://www.example.com to get the login page and avoid the error.
,
Aug 23 2016
Yes i understand that but in that case, my S7 don't tell my there is a MITM attack. But it's the same browser ( Chrome ) and the same version that in my S5. But yes your right, if i try to change the URL that is in the navigation bar, and put an http address, i get my captive portal page. The probleme is that it works on one of my device and not in the two, but it's the same browser ;)
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
|||
►
Sign in to add a comment |
|||
Comment 1 by shivanisha@chromium.org
, Aug 23 2016