New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 589747
Owner: ----
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Feature



Sign in to add a comment

Security: Downloading a file using unencrypted HTTP on a HTTPs host doesn't show any warning/error to the user

Reported by kraus...@gmail.com, Dec 14 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS

**Summary:**
When the user visits an HTTPs website, Google Chrome already shows a warning when any of the assets on the website are downloaded via unencrypted HTTP (see Mixed Content docs https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content)

However this is not the case for file downloads when downloading a file from an unencrypted URL as part of a HTTP website.

This is a big problem, as anyone in the same network can easily do a man-in-the-middle attack to read & replace the content of the file.

**Steps to Reproduce:**
- Visit an HTTPs encrypted website, notice the green "Secure HTTPS" badge next the URL
- The user feels safe and thinks everything on this website is encrypted
- Click a download button for any kind of file, linking to an unencrypted HTTP URL

**Expected Results:**
The browser shows a warning or ideally an error that the download this website tries to trigger is unsafe.

**Actual Results:**
The download works just fine, giving no indication to the user that it happened over unencrypted HTTP.


VERSION
Chrome Version: 62.0.3202.94 + stable
Operating System: macOS 10.12.6

REPRODUCTION CASE
The easiest way to test it, is to visit https://aws.amazon.com/mobile/resources/, modify the HTML DOM of the `Download SDK` button to use a HTTP URL instead of HTTPs, and click the `Download SDK` button afterwards.

Here is a video showing the problem in action: https://www.youtube.com/watch?v=Mx2oFCyWg2A&feature=youtu.be

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: none
Crash State: none
Client ID (if relevant): [see link above]

 

Comment 1 by cthomp@chromium.org, Dec 14 2017

Components: UI>Browser>Downloads Security
Labels: -Type-Bug-Security Hotlist-HttpBad Team-Security-UX Type-Feature
Status: Available (was: Unconfirmed)
This seems similar to crbug.com/739090#c7, but specifically the concern of HTTP downloads as a form of "mixed content" as discussed in Comment 7 there. We are considering this as part of our broader "HTTPBad" project, but it we're not sure exactly how we would address this yet. I'm going to change this to be a feature request which we can track as part of that effort.

Comment 2 by cthomp@chromium.org, Dec 14 2017

Components: -Security

Comment 3 by cthomp@chromium.org, Dec 14 2017

Labels: -Restrict-View-SecurityTeam
Mergedinto: 589747
Status: Duplicate (was: Available)
I think this is effectively already tracked by 589747.

Comment 5 by kraus...@gmail.com, Dec 14 2017

Perfect, thanks for the fast response

Sign in to add a comment