VULNERABILITY DETAILS
HSTS (HTTP Strict Transport Security) can be bypassed by altering, and resetting a user's date.

VERSION
Chrome Version: 58.0.3029.96 (64-bit) - latest stable at time of writing
Operating System: Mac OSX 10.12.latest. Similar effect observed on Windows 7.

REPRODUCTION CASE
- Visit a website with HSTS enabled, and an expiry time set
- Set computer clock to any date in the future
- Change to an invalid certificate on the above HSTS enabled website, or disable HTTPS altogether
- Reload the website
- Set computer clock back to the correct time
- Re-visit the website. You'll find any earlier HSTS headers have been removed.

Chrome is removing HSTS headers when visiting a website, and the local date is faked to be beyond 'expiry'. This is an issue as a rogue application or NTP server could alter a user's local clock, and force a refresh of the page.

When a user then re-visits the site, they can be MITM'ed into a HTTP connection, without the forceable 

A malicious application, or rogue NTP server, can forcibly change a user's machine clock to a date in the future, beyond the 'expiry' date set in the HSTS header, and then force a refresh of the page. The same application could then reset the date, and Chrome would have lost all HSTS headers for that site. It would then be trivial for a HTTP downgrade / MITM attack to take place.

Many thanks for your time!

Gavin