New issue
Advanced search Search tips

Issue 892610 link

Starred by 1 user
Status: Unconfirmed
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

Enforce HSTS for FTP

Reported by darkudo...@gmail.com, Oct 5 
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce the problem:
1. Be preloaded on https://hstspreload.org
2. Open ftp://terrax.net/index.html

What is the expected behavior?
Redirect to https://terrax.net/index.html

What went wrong?
It's mainly looking like a http page.

Did this work before? No 

Chrome version: 71.0.3569.0  Channel: dev
OS Version: Debian Testing
Flash Version: 

https://bugzilla.mozilla.org/show_bug.cgi?id=1438713

Comment 1 by darkudo...@gmail.com, Oct 5 

No, not that kind of creepy security bug. It doesn't need to be restricted.

Comment 2 by darkudo...@gmail.com, Oct 5 

For WhatsApp: https://bit.ly/2Pev7qb

Comment 3 by darkudo...@gmail.com, Oct 5 

Could someone set up ftp://accounts.google.com/login.html as MitM in a Wifi?

(94.130.231.169 accounts.google.com in /etc/hosts)
Screenshot_20181005_145155.png
544 KB View Download

Comment 5 by mea...@chromium.org, Oct 5

Components: Internals>Network>DomainSecurityPolicy Internals>Network>FTP
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Thanks for the report. HSTS works for HTTP only (hence the name) so there isn't a security vulnerability here. Removing view restriction and adjusting labels.

Comment 6 by nhar...@chromium.org, Oct 5 

I think  crbug.com/744499  would be a good solution to the general problem here.

Comment 7 by darkudo...@gmail.com, Oct 5 

We signed up for HSTS Preloading because we would like to prevent web browsers to connect insecurely to our domains. I don't perceive a large difference between http and ftp. You even upgrade http://terrax.net:1337/ to https. (And why is comment 3 even locally possible?)

Solutions for domains that wish Strict Transport Security:
1. Introduce support for ftps:// and apply preloading rules there. Ehm, rather not?
2. Upgrade (at least consumers!) to https://.
   According to stats this might be a save change: https://bugzil.la/1438713#c1
   (Someone could still use another ftp client like FileZilla.)

 https://crbug.com/744499  would be cool for domains that don't care about enforcing encryption.

Comment 8 by krajshree@chromium.org, Oct 7

Labels: Needs-Triage-M71

Comment 9 by mmenke@chromium.org, Oct 8 

I don't think we should take any action here - ftp is tangential to HTTP, and shares none of the user state (Cookies, credentials, etc).  Eventually we hope to be able to remove FTP, anyways.

Comment 10 by mmenke@chromium.org, Oct 8 

Actually, I guess if we still render HTML over ftp, the renderer may leak state between the two.

Comment 11 by darkudo...@gmail.com, Oct 8 

I don't fear technical problems, just bad security UX. Updated the demo page.
As one would expect from HSTS, ws:// is also upgraded to wss:// (since  https://crbug.com/455215 ).

Comment 12 by palmer@chromium.org, Nov 26

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
This would affect all OSs; I don't know about iOS though, since https://bugs.chromium.org/p/chromium/issues/detail?id=892639 does not affect Safari.

If anyone could demonstrate that the origin (ftp, example.org, ...) could interact with the origin https, example.org, ...), we'd have a separate problem on our hands which this bug would exacerbate.

Comment 13 by atwilson@chromium.org, Dec 11

Labels: Enterprise-Triaged

Sign in to add a comment