When a dynamic HSTS entry has expired (that is, the amount of time elapsed since an STS header for that domain was seen is greater than the max-age in the header), then that dynamic HSTS entry is deleted. This means that http requests to such a domain will no longer get upgraded to https, but https requests will continue to go over https.

Was there a particular buggy behavior that you're seeing that doesn't match with that?

So I was testing some bug and while doing that I was intrigued to test what happens when hsts expires and I connect to an SSL stripping access point. For any HTTP request it will not be upgraded to HTTPS which makes sense. However, for any HTTPS request, it seems that a specific response from the access point was sufficient to actually let Chrome bypass the SSL tunnel formation and talk like a regular HTTP i.e. talking like HTTP over 443. I have not been able to find time to reproduce this but just thought of sharing this in case something sounds impossible before I actually invest any time. Also, someone working on bug bounties actively can check it out.

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Fwiw, if this is stupid, I guess, I apologize for wasting time. I figured I could share to let this thing surface for clarification first.

Either way, something like this would be an interesting one.

If a network attacker were to respond to Chrome's TLS ClientHello with a (plaintext) HTTP response, Chrome should show an error page with ERR_SSL_PROTOCOL_ERROR. I'd be really surprised if Chrome sent a plaintext HTTP request on port 443 when navigating to an https URL.

If you're able to reproduce the behavior that you describe, we'd love to hear about it. In the meantime, I'm going to close this bug.