New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 812887 link

Starred by 5 users

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 811526



Sign in to add a comment

Chromium.org is available in insecure HTTP

Project Member Reported by dpranke@chromium.org, Feb 15 2018

Issue description

reported by 93m4qau783@gmail.com in bug 799676 ...

<quote>
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
1. Open http://www.chromium.org on a hotel or coffee shop network.
2. Get a popup from chromium.org telling you that you have a virus and to download a program to remove it.
3. Accept it, and download the malware offered.
4. Let your files be encrypted with ransomware.

What is the expected behavior?
Chromium.org uses strict HSTS and is not available in insecure HTTP.

What went wrong?
Chromium.org is available in insecure HTTP, which is extremely susceptible to main-in-the-middle (MITM) attacks which could lead to data interception and tampering, including injection of malicious code.

Did this work before? N/A 

Chrome version: 63.0.3239.132  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

HSTS for the Entire Internet
</quote>

also: "http://chromium.org redirects to HTTPS but http://www.chromium.org does not."


 
Issue 799676 has been merged into this issue.
Blockedon: 811526
We've filed bug 811526 to look into what the internal options we have for this are.
What is the purpose of view-restricting that bug?
The purpose is what I said: to track the google-internal options we have for addressing this, which we won't discuss in public :). I will keep this bug updated with any progress that can safely be shared publicly.
 Issue 892703  has been merged into this issue.
Cc: emilyschechter@chromium.org
Owner: ----
Status: Available (was: Assigned)
Currently we have no formal plan or timeline to address this. I'm clearing the status and ownership accordingly.

@emilyschechter - if you want to talk at some point about how we can get this scheduled to be fixed, that'd probably be good.

Sign in to add a comment