HSTS Preload Discrepancy between Chrome and Mozilla
54 views
Skip to first unread message
Eric Lawrence
May 20, 2019, 4:33:24 PM5/20/19
to HSTS Discuss
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc seems to have include_subdomains set for va.gov
https://chromium.googlesource.com/chromium/src/+/701b72b3fe28961508f27ba39550fe2d7f90bc1f removed include_subdomains for va.gov back in July 2018.
Is this difference expected?
Alex Gaynor
May 20, 2019, 4:45:33 PM5/20/19
to Eric Lawrence, HSTS Discuss
Do you know what the reason for that change was? VA.gov is currently serving a cromulent STS with include subdomains and preload. (I'm a former VA employee)
Alex
--
You received this message because you are subscribed to the Google Groups "HSTS Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hsts-discuss...@chromium.org.
To post to this group, send email to hsts-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org.
Nick Harper
May 20, 2019, 4:57:43 PM5/20/19
to Alex Gaynor, Eric Lawrence, HSTS Discuss
The request was from the VA because they had intranet sites break when subdomains were preloaded.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CAFRnB2VzrUqEL6sHg%3D48jJED3js1drE0RZbj%3Dd1yYodUYmnUYg%40mail.gmail.com.
Daniel Veditz
May 20, 2019, 5:44:53 PM5/20/19
to Eric Lawrence, HSTS Discuss
Interesting difference. First odd thing is that it appears Mozilla won't ever notice this kind of change of a site that's already on the list: https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#314-327
But that minor bug doesn't really matter because it looks like we ignore the list value of include_subdomains anyway and just get it from the site itself. https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#117,135
`host.includeSubdomains` isn't used anywhere.
-Dan Veditz
--
Dana Keeler
May 20, 2019, 7:13:43 PM5/20/19
to hsts-d...@chromium.org
I'd probably call this expected behavior - we probe most entries on the
list and use the value for includeSubdomains that the server sends. The
exceptions are entries that are "force-included". These have a policy of
"google", "public-suffix", or "public-suffix-requested" (it looks like
the va.gov entry has a policy of "custom").
(Note that generally "live" information will overwrite the preload list,
so even if we set the preloaded entry to not include subdomains, if a
user ever visits va.gov, they'll see the header with include subdomains
set, which will overwrite this, and the internal sites in question will
break again.)
Cheers,
Dana
On 5/20/19 2:44 PM, Daniel Veditz wrote:
> Interesting difference. First odd thing is that it appears Mozilla won't
> ever notice this kind of change of a site that's already on the list:
> https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#314-327
>
> But that minor bug doesn't really matter because it looks like we ignore
> the list value of include_subdomains anyway and just get it from the
> site itself.
> https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#117,135
> `host.includeSubdomains` isn't used anywhere.
>
> -Dan Veditz
>
> On Mon, May 20, 2019 at 1:33 PM Eric Lawrence <elaw...@chromium.org
> <mailto:elaw...@chromium.org>> wrote:
>
> https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc seems
> to have include_subdomains set for va.gov <http://va.gov>
> https://chromium.googlesource.com/chromium/src/+/701b72b3fe28961508f27ba39550fe2d7f90bc1f removed
> include_subdomains for va.gov <http://va.gov> back in July 2018.
> <https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CADYDTCD3_65QxjVsQek2BgLj-UO-JPbTA5G9ULGvSRj03xO%3Dbw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
list and use the value for includeSubdomains that the server sends. The
exceptions are entries that are "force-included". These have a policy of
"google", "public-suffix", or "public-suffix-requested" (it looks like
the va.gov entry has a policy of "custom").
(Note that generally "live" information will overwrite the preload list,
so even if we set the preloaded entry to not include subdomains, if a
user ever visits va.gov, they'll see the header with include subdomains
set, which will overwrite this, and the internal sites in question will
break again.)
Cheers,
Dana
On 5/20/19 2:44 PM, Daniel Veditz wrote:
> Interesting difference. First odd thing is that it appears Mozilla won't
> ever notice this kind of change of a site that's already on the list:
> https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#314-327
>
> But that minor bug doesn't really matter because it looks like we ignore
> the list value of include_subdomains anyway and just get it from the
> site itself.
> https://searchfox.org/mozilla-central/source/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js#117,135
> `host.includeSubdomains` isn't used anywhere.
>
> -Dan Veditz
>
> On Mon, May 20, 2019 at 1:33 PM Eric Lawrence <elaw...@chromium.org
> <mailto:elaw...@chromium.org>> wrote:
>
> https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc seems
> https://chromium.googlesource.com/chromium/src/+/701b72b3fe28961508f27ba39550fe2d7f90bc1f removed
> include_subdomains for va.gov <http://va.gov> back in July 2018.
>
> Is this difference expected?
>
> --
> You received this message because you are subscribed to the Google
> Groups "HSTS Discuss" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to hsts-discuss...@chromium.org
> <mailto:hsts-discuss...@chromium.org>.
> Is this difference expected?
>
> --
> You received this message because you are subscribed to the Google
> Groups "HSTS Discuss" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to hsts-discuss...@chromium.org
> To post to this group, send email to hsts-d...@chromium.org
> <mailto:hsts-d...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org
> <https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org?utm_medium=email&utm_source=footer>.
> https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org
>
> --
> You received this message because you are subscribed to the Google
> Groups "HSTS Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hsts-discuss...@chromium.org
> <mailto:hsts-discuss...@chromium.org>.
> --
> You received this message because you are subscribed to the Google
> Groups "HSTS Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hsts-discuss...@chromium.org
> To post to this group, send email to hsts-d...@chromium.org
> <mailto:hsts-d...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CADYDTCD3_65QxjVsQek2BgLj-UO-JPbTA5G9ULGvSRj03xO%3Dbw%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CADYDTCD3_65QxjVsQek2BgLj-UO-JPbTA5G9ULGvSRj03xO%3Dbw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Nick Harper
May 21, 2019, 5:19:51 AM5/21/19
to Dana Keeler, HSTS Discuss
On Tue, May 21, 2019 at 12:13 AM Dana Keeler <dke...@mozilla.com> wrote:
I'd probably call this expected behavior - we probe most entries on the
list and use the value for includeSubdomains that the server sends. The
exceptions are entries that are "force-included". These have a policy of
"google", "public-suffix", or "public-suffix-requested" (it looks like
the va.gov entry has a policy of "custom").
(Note that generally "live" information will overwrite the preload list,
so even if we set the preloaded entry to not include subdomains, if a
user ever visits va.gov, they'll see the header with include subdomains
set, which will overwrite this, and the internal sites in question will
break again.)
Chrome does something similar, in that if a user visits va.gov, they'll pick up the includesubdomains flag and apply that for other navigations to va.gov subdomains. (Though the opposite won't happen: If we preloaded example.com with subdomains, and saw an HSTS header on example.com without the includesubdomains flag, we wouldn't override the preload entry to remove it.)
I'll reach out to the VA and check what their intended behavior is. I'd like the preload list and the header they serve to match.
To unsubscribe from this group and stop receiving emails from it, send an email to hsts-discuss...@chromium.org.
To post to this group, send email to hsts-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/c8f68567-1adb-73a4-febd-6c7879c7f62e%40mozilla.com.
Eric Lawrence
May 21, 2019, 11:59:12 AM5/21/19
to HSTS Discuss, dke...@mozilla.com
Thanks for following up, folks.
The reason this came up is that Microsoft Internet Explorer and Edge Spartan (the pre-Chromium version) pull the sSTSPreloadList.inc list from Mozilla and use that as the basis of their preload list. We had a request from VA.gov to manually remove their entry from the list, presumably due to the Intranet breakage mentioned above. Looking into things, it appears that our import script had two problems:
1. It assumed that the include_subdomains field from the .inc file represented the correct state
2. Our script, believing that va.gov to be a TLD, buggily ignored the include_subdomains flag and treated the va.gov as a HSTS-TLD.
The bug mentioned in #2 is why there was a brief period last week whereby IE/Spartan treated *.gov.uk sites as HSTS-preloaded.
thx,
-Eric
> send an email to hsts-discuss+unsubscribe@chromium.org
> <mailto:hsts-discuss+unsub...@chromium.org>.
> To post to this group, send email to hsts-d...@chromium.org
> <mailto:hsts-discuss@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org
> <https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/83a86691-9976-4f9b-9619-329c1cd2ce08%40chromium.org?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "HSTS Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hsts-discuss+unsubscribe@chromium.org
> <mailto:hsts-discuss+unsub...@chromium.org>.
> To post to this group, send email to hsts-d...@chromium.org
> <mailto:hsts-discuss@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CADYDTCD3_65QxjVsQek2BgLj-UO-JPbTA5G9ULGvSRj03xO%3Dbw%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/hsts-discuss/CADYDTCD3_65QxjVsQek2BgLj-UO-JPbTA5G9ULGvSRj03xO%3Dbw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "HSTS Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hsts-discuss+unsubscribe@chromium.org.
Reply all
Reply to author
Forward
0 new messages