Chromium.org is available in insecure HTTP |
|||
Issue descriptionreported by 93m4qau783@gmail.com in bug 799676 ... <quote> UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce the problem: 1. Open http://www.chromium.org on a hotel or coffee shop network. 2. Get a popup from chromium.org telling you that you have a virus and to download a program to remove it. 3. Accept it, and download the malware offered. 4. Let your files be encrypted with ransomware. What is the expected behavior? Chromium.org uses strict HSTS and is not available in insecure HTTP. What went wrong? Chromium.org is available in insecure HTTP, which is extremely susceptible to main-in-the-middle (MITM) attacks which could lead to data interception and tampering, including injection of malicious code. Did this work before? N/A Chrome version: 63.0.3239.132 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: HSTS for the Entire Internet </quote> also: "http://chromium.org redirects to HTTPS but http://www.chromium.org does not."
,
Feb 15 2018
We've filed bug 811526 to look into what the internal options we have for this are.
,
Mar 11 2018
What is the purpose of view-restricting that bug?
,
Mar 13 2018
The purpose is what I said: to track the google-internal options we have for addressing this, which we won't discuss in public :). I will keep this bug updated with any progress that can safely be shared publicly.
,
Oct 16
Issue 892703 has been merged into this issue.
,
Dec 22
Currently we have no formal plan or timeline to address this. I'm clearing the status and ownership accordingly. @emilyschechter - if you want to talk at some point about how we can get this scheduled to be fixed, that'd probably be good. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dpranke@chromium.org
, Feb 15 2018