Re: HSTS preload flaw
Rob Sayre <sayrer@gmail.com> Sun, 09 February 2020 09:35 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019A8120058 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Feb 2020 01:35:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGPbxhoV0Dko for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Feb 2020 01:34:58 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94C512001E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 9 Feb 2020 01:34:57 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1j0ivh-00054G-Gi for ietf-http-wg-dist@listhub.w3.org; Sun, 09 Feb 2020 09:31:05 +0000
Resent-Date: Sun, 09 Feb 2020 09:31:05 +0000
Resent-Message-Id: <E1j0ivh-00054G-Gi@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <sayrer@gmail.com>) id 1j0ivd-00052S-FR for ietf-http-wg@listhub.w3.org; Sun, 09 Feb 2020 09:31:01 +0000
Received: from mail-io1-xd33.google.com ([2607:f8b0:4864:20::d33]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <sayrer@gmail.com>) id 1j0ivb-0007kk-6p for ietf-http-wg@w3.org; Sun, 09 Feb 2020 09:31:01 +0000
Received: by mail-io1-xd33.google.com with SMTP id s24so4305299iog.5 for <ietf-http-wg@w3.org>; Sun, 09 Feb 2020 01:30:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h6FkzBz7uJnoFDw1Cqbpv9cUqrOVOOLZKpcoUj0gulY=; b=ebeHOcKpMftWk5z0+UkudVM6J0mA22uKy7YaEzRYLSRnc+siXw+nsXi8a/CrL5hDEU M5A4hyWwcCZM+Z0f5QpO11M6YWpOZ0ESdR1OcSmgjP4xkj1BZ8kGG2PPa4Sowmp7SHXI ejZ2QphRx7jWywNv5v8CGtRVc7tZuOdG8VVnaYV63P5u1p1GJvlBl/4wxz5bvW5m205p MJxXCI1g3DgEtO1vh9NwvcCUZ7KWlo1oSeT6EclLtUVmkBBvXVk92CetHiNpmBsPgb9w eds5q+fpC17jOBN2lw+EjVibXKZIKEaUyqTLGY3EcwjM3O5RXxHVDWfJasN7wh+Wwzt1 QmDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h6FkzBz7uJnoFDw1Cqbpv9cUqrOVOOLZKpcoUj0gulY=; b=j1BurzVtYe6FbWo6bJQQ6tax4uFSltmb9b7+Lc3NqqWwE5WwcD7yxyLYQAuZ9ze5ZD dFKv84PMnwHEXyy4CCZXz204tpymzBQnXhSsIJw8obLs8AcTEysfBQM/CpfygHeWUEKE gmeUlWpz+5jwMvobb+gsNJhCaDzlmMrbFbOZwLsFhRwLSFxl3WiIY/Ei/qqDxg1CUqY3 4r/Br7EuTpH6vMD+XkDIyLMJUTT3PvhjGyAwjyArXm6YU1zrUGRPaSsef5pCWfvdBkya 96ssNW4MiH0pGVChl7GpRhetAS9wm15Q/+HbjWTA/A/o5/BPdkW4qEOUvI1UJ2y4hEXl XfFw==
X-Gm-Message-State: APjAAAWOn32fg4UO3UnLerWu2gcVuplKY1PjKSuJegga0M1/4I7YHvHZ RxLXhKAVhgTmAjBOpCh1h8WWpeixiXieNDD18T9s17tgPd0=
X-Google-Smtp-Source: APXvYqz7kSpvp6038HqXjdaMrsfWQQclLEA+CGsWuwlIGDRoUx/XMi33m+kMzImdcwdTWtMIAqngyBcI9wb6xdc+Su8=
X-Received: by 2002:a02:a48e:: with SMTP id d14mr5657058jam.30.1581240657467; Sun, 09 Feb 2020 01:30:57 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6Syfo-XpN0i4O0==G29KJ22oCvq+X_nbjgq8aAhtCR7BzA@mail.gmail.com> <A0F7BEB8-C236-429B-94F7-C2F748FDD70C@bzfx.net>
In-Reply-To: <A0F7BEB8-C236-429B-94F7-C2F748FDD70C@bzfx.net>
From: Rob Sayre <sayrer@gmail.com>
Date: Sun, 09 Feb 2020 01:30:46 -0800
Message-ID: <CAChr6SyG56wDh=EvEmMUzOfK5YWP3yhrQkXpmWx9MYe9BsghSw@mail.gmail.com>
To: Austin Wright <aaa@bzfx.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b15e5f059e2147d3"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d33; envelope-from=sayrer@gmail.com; helo=mail-io1-xd33.google.com
X-W3C-Hub-Spam-Status: No, score=-6.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=-2.438, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1j0ivb-0007kk-6p 4fa7564bd46d98e1a8331c69dec4a46b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS preload flaw
Archived-At: <https://www.w3.org/mid/CAChr6SyG56wDh=EvEmMUzOfK5YWP3yhrQkXpmWx9MYe9BsghSw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37344
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Sun, Feb 9, 2020 at 12:05 AM Austin Wright <aaa@bzfx.net> wrote: > I don’t think you can call this a bug. > I think it's a bug, but reasonable people can disagree. An "unintentional difference in behavior" is another way to describe this report. > As far as I know, this behavior is not standardized as any part of HTTP, > but is described and centrally managed by Chromium project. That is, it’s a > feature of Google Chrome and nobody else is under any obligation to > implement it. > HSTS is defined by RFC 6797. It's true that the preload list can vary between versions of browsers, but in this case I found that the macOS versions of browsers other than Safari had these TLDs preloaded, while the iOS versions of these browsers did not. I understand why this happened, but I think it would be a stretch to call it intentional. The discrepancy existed for over a year, and no browser vendor seemed aware of it. > And even if it was, I don’t really see how you can say “At least 600k > domains were impacted”. What would an attack look like? You have to have a > user-agent willing to send a sensitive payload in plaintext, and a server > with port 80 open to receive it. > 600k is a conservative estimate based on the number of domains that seemed to be registered under these TLDs. Any browser without these TLDs preloaded would first attempt to connect via HTTP if supplied with an http:// URL or a schemeless URL (like "foo.dev"). At that point, any server could provide a response. You might think "surely there will be a scary warning", but this actually was not the case in all browsers, especially on mobile phones. Safari did say "Not Secure" in the address bar, but other browsers just showed an "(i)" info icon instead of a lock, so a user would have to notice the absence of a lock. thanks, Rob
- HSTS preload flaw Rob Sayre
- Re: HSTS preload flaw Austin Wright
- Re: HSTS preload flaw Rob Sayre
- Re: HSTS preload flaw Austin Wright
- Re: HSTS preload flaw Rob Sayre
- Re: HSTS preload flaw Eric Mill
- Re: HSTS preload flaw Austin William Wright
- Re: HSTS preload flaw Rob Sayre