New issue
Advanced search Search tips

Issue 707645 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2017
Cc:
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Pinned TLS public keys (HPKP) evicted after clearing cache

Reported by ryan@cyph.com, Apr 3 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
An issue I reported about a year ago that was promptly fixed (https://bugs.chromium.org/p/chromium/issues/detail?id=603682) is now reproducible again, exactly as described in my original issue.

What is the expected behavior?

What went wrong?
Last time it was a misplaced curly brace; not sure about this time. :)

Did this work before? Yes 

Chrome version: 57.0.2987.133  Channel: stable
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 25.0 r0

Comment 1 by est...@chromium.org, Apr 3 2017

Labels: Needs-Feedback
I can't reproduce in 57.0.2987.110. This is what I'm doing in a fresh profile:

1.) Visit github.com
2.) Open chrome://net-internals/#hsts and query for github.com, observe "dynamic_spki_hashes: sha256/WoiWRyIOVNa..."
3.) In chrome://settings, clear Passwords (or Download History) from Clear Browsing Data.
4.) Visit chrome://net-internals/#hsts and query for github.com again, observe the same dynamic_spki_hashes value.

Can you give your exact repro steps?

Comment 2 by ryan@cyph.com, Apr 3 2017 

Sorry, actually, upon further investigation it's not _exactly_ the same behaviour. Last time clearing literally any browsing data (e.g. saved passwords) would delete the pinned keys, but now it just happens when clearing the cache specifically.
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 3 2017

Cc: est...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by est...@chromium.org, Apr 3 2017

Components: Internals>Network>DomainSecurityPolicy
Status: WontFix (was: Unconfirmed)
Re comment 2: I see, that's WAI. https://codereview.chromium.org/7717023/ originally intended to clear HSTS/HPKP data if and only if cache is cleared, and that was the behavior that I restored in the fix for  issue 603682 .

Comment 5 by ryan@cyph.com, Apr 3 2017 

Oh, oops. Looking back at the commit message for the fix in the issue I linked, I see that what I described here is exactly what the mitigation was at the time; guess I just misremembered (or never actually saw what the fix was and assumed something different). Sorry about that.
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment