Can you please be more specific about the exact URLs and steps involved?

Based on the pptx, it /looks/ like what you're saying is that you attempt to load http://facebook.com/ in regular Chrome after enabling a DNS-spoof and this fails because HSTS rule forces the request to https://facebook.com/ and your attack site does not have HTTPS enabled. Subsequently, when you attempt the attack in an Incognito mode instance, the request for http://facebook.com is not upgraded to HTTPS and thus the page loads non-securely.

Is that correct?

*.facebook.com is on the HSTS preload list and thus this attack should not work on any version of Chrome that is running within 10 weeks of its build date. (Chrome 58 is very outdated at this point and thus its HSTS rules have expired).

Hello, yes you have it correct. The http://facebook.com was redirected to a web server on the Raspberry Pi serving as the access point. The page is not accessible on a regular Chrome window because HTTPS is forced. When in incognito it did not force HTTPS on this same address.

I understand that this is an old version of Chrome, but when this was tested the version of Chrome was current. My partner also tested this more recently, around November or December. I have not tested it since but as this is something that (at the time of testing) worked on current versions of Chrome I figured it might be an ongoing issue.

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I was not able to reproduce a problem here. Attempting to load http://facebook.com in Incognito while spoofing DNS resulted in the expected automatic clientside redirection to HTTPS with the following recorded in the network log:

t= 997 [st=   0]      URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
                      --> HTTP/1.1 307 Internal Redirect
                          Location: https://facebook.com/load
                          Non-Authoritative-Reason: HSTS

Can you please attempt to reproduce this in a current version of Chrome, and attach a network log[1] if you're successful?

[1] https://www.chromium.org/for-testers/providing-network-details

I will take some time to attempt to get this working on a current version and get back to you.

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks. Please update this issue if you are able to reproduce the problem.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot