Google Chrome opens pre-defined sites always as https..

polonus · 2015-05-16T21:13:12.000Z

See: https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json
Is this in any way a security risk?

polonus

bob3160 · 2015-05-16T21:15:29.000Z

polonus post:1:

See: https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json
Is this in any way a security risk?

polonus

Google or Chromium ??? (There is a difference)

polonus · 2015-05-16T21:36:36.000Z

See the link: p/chromium - so that is clear.
The browser has a HSTS preloaded list.
Websites could enlist here: https://hstspreload.appspot.com/
Minimal requirements:

Have a valid certificate.
Redirect all HTTP traffic to HTTPS—i.e. be HTTPS only.
Serve all subdomains over HTTPS.
Serve an HSTS header on the base domain:
Expiry must be at least eighteen weeks (10886400 seconds).
The includeSubdomains token must be specified.
The preload token must be specified.
If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.

Be aware that inclusion in the preload list cannot really be undone!

Read about the parent problem here: http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx link article author Eric Law

The attacker causes the victim's browser to navigate to http://example.com. Because the HSTS policy applies only to sub.example.com and its superdomain matches, this insecure navigation is not blocked by the user agent. The attacker intercepts this insecure request and returns a response that sets a cookie on the entire domain tree using a Set-Cookie header. All subsequent requests to https://sub.example.com carry the injected cookie, despite the use of HSTS.

This attack scenario has to be mitigated via a

background fetch of a resource at the first-level domain. This resource should carry a HSTS header with an includeSubDomains directive that will apply to the entire domain and all subdomains.

polonus

polonus · 2015-05-16T22:12:32.000Z

Just to give an example what is a Poodle vulnerable site like this one doing in this list:
http://toolbar.netcraft.com/site_report?url=https://mirindadomo.ru
Site has a C ranking, sessions could be vulnerable to BEAST attack,
HTTP Strict-Transport-Security not installed on that server.
Unnecessary certificates sent during SSL/TLS-negotiation.
No FIPS enabled - no federal norms (Russian Server)
No SPDY set.

So we see now that my question in this thread was a legit one.

polonus

P.S. This is a properly configured site with a A+ status: https://sslcheck.globalsign.com/nl/sslcheck?host=www.fish-hook.ru
only minor issue: OCSP Stapling

Damian

Announcements