New issue
Advanced search Search tips

Issue 667247 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Malformed "double" HPKP header gets accepted, but with first pin skipped

Reported by ha...@hboeck.de, Nov 21 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Steps to reproduce the problem:
1. Set up a page which sets a HPKP header which sets the header name twice (aka starts with "Public-Key-Pins: Public-Key-Pins: pin-sha256..."), the pin that is valid for the current page should not be the first.
2. load page
3. check chrome://net-internals/#hsts for HPKP
4. Chrome accepted the HPKP header, however it ignored the first pin that was set.

What is the expected behavior?
Given the "shoot in the foot" potential of HPKP all invalid HPKP headers should probably be ignored.

What went wrong?
Chrome accepted the header, but ignored one of the pins. That seems dangerous and increases the risk that website owners configure their site in a way that makes it unaccessible.

Did this work before? N/A 

Chrome version: 53.0.2785.143  Channel: n/a
OS Version: 
Flash Version: 

I tested this in firefox and it behaves as expected: It ignores the header and shows an error in the developer console.

I have set up a test page:
https://dhpkp.tlsfun.de/

The test can be replicated by using an apache and set a pin like this:
header set Public-Key-Pins "Public-Key-Pins: pin-sha256=\"ZR7UrkdiJKbmmLXiQlwxmS129Oy9OjzjfOIkMUiK5ZQ=\";pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\";pin-sha256=\"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=\";pin-sha256=\"nB+CrX0Lzjgq1mfXWxlcqKnzVxh2M+YhNtJN87NaZXc=\"; max-age=604800;"

Comment 1 by elawrence@chromium.org, Nov 21 2016

Cc: est...@chromium.org
Components: Internals>Network
This seems more like a functionality bug than a security bug.

Our logic lives inside ParseHPKPHeaderImpl.

https://tools.ietf.org/html/rfc7469 has the following to say:

   4.  UAs MUST ignore any header fields containing directives, or other
       header field value data, that do not conform to the syntax
       defined in this specification.  In particular, UAs must not
       attempt to fix malformed header fields.

   5.  If a header field contains any directive(s) the UA does not
       recognize, the UA MUST ignore those directives.

Comment 2 by ha...@hboeck.de, Nov 21 2016 

I didn't really intend to report this as a security bug, but was confused by the form (it didn't have anything that sounded like functionality bugs in a security/TLS-related feature). Feel free to reassign to another category.

Comment 3 by est...@chromium.org, Nov 21 2016

Components: -Internals>Network Internals>Network>DomainSecurityPolicy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Via-Wizard-Security OS-Android OS-Chrome OS-Mac OS-Windows Type-Bug
Status: Available (was: Unconfirmed)
Adjusting labels and making the bug public. I agree we should be rejecting this header per the spec. Somewhat related to  issue 469471  (we don't have good error reporting for bad HPKP headers.)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by elawrence@chromium.org, Nov 22 2017

Status: WontFix (was: Untriaged)
With the upcoming removal of HPKP, this isn't worth fixing.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

Sign in to add a comment