Please preload high-traffic Microsoft redirectors for HSTS |
|||
Issue descriptionMicrosoft uses two high-volume redirection services for links between client software and websites: aka.ms go.microsoft.com Both of these domains are heavily used and, because they often point to Downloads or pages that require login, they are high-value targets for a MITM attacker. We request that you update transport_security_state_static.json with the following entries: { "name": "aka.ms", "policy": "custom", "mode": "force-https", "include_subdomains": true }, { "name": "go.microsoft.com", "policy": "custom", "mode": "force-https", "include_subdomains": false }, Verification: If you'd like to further verify this request, feel free to ping me via ericlaw@microsoft.com. aka.ms presently serves the HSTS Preload header with the includeSubdomains directive. go.microsoft.com was manually added to Edge's fork of the HSTS preload list in the stable build of Windows 10 (shipped April 2018) and that can be verified via observation if desired. Note: aka.ms requests includeSubdomains:true while go.microsoft.com requests includeSubdomains:false.
,
Jul 25
CL: https://chromium-review.googlesource.com/c/chromium/src/+/1140737
,
Jul 26
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/83f9b671b4a4abc79cf9d3aff809dcd2a72eec0c commit 83f9b671b4a4abc79cf9d3aff809dcd2a72eec0c Author: Nick Harper <nharper@chromium.org> Date: Thu Jul 26 03:35:29 2018 Add Microsoft redirectors to HSTS preload list Bug: 853863 Change-Id: I15224eb329160dba1c558bc0a89f97c203f9f05f Reviewed-on: https://chromium-review.googlesource.com/1140737 Commit-Queue: Nick Harper <nharper@chromium.org> Reviewed-by: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#578184} [modify] https://crrev.com/83f9b671b4a4abc79cf9d3aff809dcd2a72eec0c/net/http/transport_security_state_static.json
,
Jul 26
|
|||
►
Sign in to add a comment |
|||
Comment 1 by nhar...@chromium.org
, Jun 18 2018