Security: clearing browsing data clears HSTS records
Reported by
qubicfac...@gmail.com,
Nov 14 2017
|
||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Clearing browsing data in Google Chrome on Android 7.1.1 deletes HSTS records. HSTS records should not be arbitrarily removed in such scenarios when the purpose of HSTS is to ensure that HTTPS only sites are not being maliciously downgraded to HTTP, hence the long expiry. A user who has the habit of clearing browsing data is thus vulnerable to MITM SSL stripping attacks each time the browsing data is cleared. VERSION Chrome Version: [62.0.3202.84] + [stable] Operating System: [Android 7.1.1 1 Sept 2017] REPRODUCTION CASE 1) Visit a non preloaded HSTS enabled site (I am using hydrozen.net) 2) Check that the HSTS record is present in chrome://net-internals/#hsts under Query HSTS/PKP domain 3) Close all tabs 4) Clear browsing data in Settings>Privacy>Clear Browsing Data 5) Query the HSTS record again in chrome://net-internals/#hsts 6) HSTS record for the domain now indicates NOT FOUND A MITM attack using bettercap against the HSTS domain on the phone is now possible every time browsing data is cleared instead of only during the first time the site is accessed.
,
Nov 14 2017
(fixing typos and re-posting my comment) // Adding some folks and components, in case they have anything to add. Otherwise, I'll close this as WontFix in the next couple of days. Thanks for your report. I believe that's intended behavior, though your concern is valid. There was a long discussion on that subject, if you are interested: https://bugs.chromium.org/p/chromium/issues/detail?id=104935 The short story is: preserving HSTS when clearing browsing data does not sound as an obvious outcome (i.e. a one would expect browser data to be empty after deletion, not partially empty) + that may cause privacy issues (e.g. tracking of the sites a user visited). It might be a good solution to have another checkbox in the "Clear browser data" dialog, but that seems to be unnecessary complication for majority of the users.
,
Nov 14 2017
If the approach is to avoid complication for the majority of users, then why not add an option in net-internals to explicitly retain HSTS settings when flushing the browsing data?
,
Nov 14 2017
Note: chrome://net-internals is in the process of being removed. There are no plans to offer an HSTS "power-user" UI. Comment #2 applies, and agree that WontFix/WorkingAsIntended
,
Nov 15 2017
Yes, this is working as intended. It's a privacy/tracking/fingerprinting vs. strict security trade-off, and as you can see in Issue 104935 it's been enduringly difficult to answer. But I think the current status quo is the right one after all. (Note that we now have evidence that trackers do use HSTS in the wild as a supercookie.)
,
Jun 26 2018
|
||
►
Sign in to add a comment |
||
Comment 1 Deleted