New issue
Advanced search Search tips

Issue 808437 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome loads domains with a trailing dot

Reported by krzyc...@gmail.com, Feb 2 2018 
Hi.
Today I've discovered possible security bug in Chrome.

I've noticed that Chrome works very strange when domain address ends with dot.

For example: https://www.google.com.

As You can suspect - it should be ended with Domain Not Found exception BUT... IT WORKS!!!!

What is most strange - it find a proper IP address and pushes HTTP Host Header: www.google.com.

For Google, the site is working properly because it redirects to https://www.google.com 
For YouTube it stays with https://www.youtube.com.

But there are sites that don't work correctly and generates HTTP 400 or infinity redirect loop.

Comment 1 by elawrence@chromium.org, Feb 2 2018

Components: Internals>Network>DNS
Status: WontFix (was: Unconfirmed)
Summary: Security: Chrome loads domains with a trailing dot (was: Security: Dot Truble)
This is working as expected. 

/Technically/ all domain names in DNS end with a trailing dot, but by convention it's typically omitted by both users and sites.

In general this behavior is harmless; only in rare circumstances can it cause security issues in sites and services that fail to account for this behavior; for instance, see https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
Project Member

Comment 2 by sheriffbot@chromium.org, May 12 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment