New issue
Advanced search Search tips

Issue 788055 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
fhorschig@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Security: Some default sites in the new tab page on Android don't use SSL

Reported by ya...@nightwatchcybersecurity.com, Nov 23 2017 
VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 62.0.3202.84 stable
Operating System: Android 7.0.0

REPRODUCTION CASE
1. Open Chrome on Android.
2. Go to Settings, Privacy and clear out all data.
3. Re-open, and open new tab
4. Observe that the icons of popular sites are displayed. NOT ALL OF THEM use SSL - in the US, ESPN doesn't and in UK, Argos.co.uk has no SSL while they actually support SSL

The result is that a user using Chrome that clicks on any of these, on a hostile network can end up being directed to an attacker's site if DNS or MITM is used.

The source of these seems to come from a Google service here:
https://www.gstatic.com/chrome/ntp/suggested_sites_DEFAULT_5.json

They are used in this file in code:
https://cs.chromium.org/chromium/src/components/ntp_tiles/popular_sites_impl.cc

The fix maybe on the Google side and not in code, or perhaps code can be added not to display non-SSL sites. Screenshot of US Chrome is attached.
Screenshot_20171122-215523.png
306 KB View Download

Comment 1 by jialiul@chromium.org, Nov 23 2017

Components: UI>Browser>ContentSuggestions
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
I'd like NTP people to take a look whether it is intended or not.

Change from bug-security to bug.

Comment 2 by tschumann@chromium.org, Nov 24 2017

Cc: fhorschig@chromium.org
Labels: zine-triaged Pri-2
Owner: mastiz@chromium.org
Status: Available (was: Unconfirmed)
I thought the popular sites pipeline would prefer https pages... Mikel can you have a look?

Comment 3 by fhorschig@chromium.org, Nov 24 2017 

To check on our side how to best promote HTTPS pages (if provided), I created bug http://b/69732098.

There are some difficulties for loading HTTPS instead of their HTTP equivalent in general, as they might be reachable, but broken. 
For example, ESPN can be accessed via HTTPS but it still loads images, scripts and styles via HTTP. The mixed content will be blocked and the site won't be usable.

BTW: HSTS preloading feathers this fall for some HTTP recommendations which would automatically be replaced by the appropriate HTTPS site.
More information about that here: https://hstspreload.org
Spoiler: It doesn't work for ESPN or Argos.

Comment 4 by fi...@chromium.org, Jan 15 2018

Components: -UI>Browser>ContentSuggestions UI>Browser>ContentSuggestions>History

Comment 5 by mastiz@chromium.org, Mar 16 2018

Owner: ----

Sign in to add a comment