Security: Chrome 68 on Android Redirects Cleartext Traffic
Reported by
mcos...@gmail.com,
Sep 13
|
||||
Issue descriptionVULNERABILITY DETAILS All cleartext HTTP requests made on Chrome 68+ on Android get proxied to proxy.googlezip.net. These requests are also not proxied over SSL, so any advantage of processing this securely is lost. VERSION Chrome Version: 68.0.3440.91 Operating System: Android 8.0.0 REPRODUCTION CASE 1. Browse to a site that can report your internet facing IP, over HTTP and HTTPS, with Chrome 68+ for Android. Such as icanhazip.com. 2. Compare the IP that is returned in the response. 2.1 HTTP - 66.249.93.93-95 2.2 HTTPS - Your actual breakout 3. Comparing the requests in Wireshark it can be seen that HTTP requests get proxied to proxy.googlezip.net
,
Sep 13
When browsing to http://check.googlezip.net/connect I get a 200 "OK" response. So if I understand the documentation correctly, this connection should be encrypted. The connection is made maybe 1/10 times over QUIC, but otherwise its generally over unencrypted HTTP.
,
Sep 13
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 13
bengr: Can you take a look or help route?
,
Sep 13
http://check.googlezip.net/connect provides a way for ISPs to downgrade the proxy connection to HTTP. Separately, Google also downgrades the connection sometimes, so this is working as intended. Can you tell me what the security concern is, exactly? HTTP traffic can be eavesdropped on and modified by intermediaries regardless of whether that traffic is being proxied. While securing the proxy protects the connection between the client and the proxy, it still does not protect against eavesdropping between the proxy and the origin server. Moreover, using an insecure proxy is no worse for HTTP traffic in terms of security or privacy than not proxying at all. Also, just to confirm, Chrome only attempts to make a proxy connection when Chrome's "Data Saver" feature is enabled, correct?
,
Sep 13
Thanks, I didn't realize that Google could choose to downgrade the connection. Assuming that this is only happening when Data Saver is enabled, I agree that this is working as intended and can be closed.
,
Sep 13
Correct this only happens when "Data Saver" is enabled. "Can you tell me what the security concern is, exactly?" - So I agree with you completely that HTTP traffic can be eavesdropped in almost every situation. However, having this option enabled by default will result in almost all users traffic being proxied without them realising it, even if they were connected to a secure or trusted network. So I would argue that it is both security and privacy risk that this enabled by default. So perhaps the naming of the issue was not quite correct?
,
Sep 13
This is working as intended, then. The first run experience for Chrome has the option to enable Data Saver, so it's not enabled by default (the FRE changed somewhat recently to make the No option more prominent). |
||||
►
Sign in to add a comment |
||||
Comment 1 by rsesek@chromium.org
, Sep 13Labels: Needs-Feedback OS-Android