Greetings,
In our corporate environment, a web proxy sits between users and the internet. The proxy is transparent, and so enforces authentication by spoofing the original content server, and redirecting unauthenticated web requests with a 302 to a URL of my choice, in this case, to the host "proxysg" for HTTP requests, and "https://proxysg:4443" for HTTPS requests. Some Chrome users have recently reported an error when accessing some web sites. The error page reads: "proxysg refused to connect". The URL in the address bar when this appears is a variation on the authentication URL, like so: https://proxysg/. Note that it's HTTPS, but not using port 4443. This only seems to happen when accessing a plain HTTP web site. Since our proxy doesn't have a listener on 443, a RST is returned when the browser attempts to connect to that address, resulting in the error.
For affected users, I find an entry for the host name "proxysg" when queried under chrome://net-internals/#hsts. The problem goes away when the entry is deleted.
Our proxy doesn't issue Strict-transport-security headers, so I don't understand how it could have found its way into chrome's HSTS cache. I'm unable to replicate the problem, so I don't know under what conditions Chrome will add that host to HSTS. We have relatively few Chrome users, so the affected environment is limited so far to Windows 7, and Chrome v58.
I'm trying to get a better understanding of this issue in order to be able to replicate it in a controlled setting. Has anyone in a similar environment seen this sort of behavior from Chrome? Any theories as to why Chrome incorrectly added the host to HSTS?
Thanks
- D
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/2caeec0c-ac28-4d28-9778-692cab961575%40chromium.org.
I could but at this point I can only capture the symptom, and not the problem. The symptom is that Chrome redirects a request for http://proxysg to https://proxysg. The problem (that I can't yet replicate) is that Chrome believes proxysg is enforcing HSTS and so adds the host name to its HSTS cache.
I'm hesitant to enter it as a bug until I'm able to replicate the problem.
I wonder if there's a bug (although I think this is unlikely) where if
a site sends the STS header thru the proxy, that it gets applied to
the proxy instead of (or in addition to) the proxied host. I think the
following would work to test if this is the case:
- Load hstspreload.org (or any other site that sends the STS header)
thru the proxy
- Check chrome://net-internals/#hsts to see if there's an entry for proxysg
On Mon, Jun 26, 2017 at 11:06 AM, Dan L <wrathsk...@gmail.com> wrote:
> On Monday, June 26, 2017 at 8:52:54 AM UTC-7, Chris Bentzel wrote:
>> A more complete netlog would help us pinpoint the issue. Could you go to chrome://net-export and capture one? Entering this as a bug makes sense. You could also upload the netlog to Google Drive or Dropbox or equivalent and restrict access if there is private information you don't want to be seen broadly.
>>
>
>
> I could but at this point I can only capture the symptom, and not the problem. The symptom is that Chrome redirects a request for http://proxysg to https://proxysg. The problem (that I can't yet replicate) is that Chrome believes proxysg is enforcing HSTS and so adds the host name to its HSTS cache.
>
> I'm hesitant to enter it as a bug until I'm able to replicate the problem.
>
> --
> You received this message because you are subscribed to the Google Groups "net-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
> To post to this group, send email to net...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/bdaa593b-6d69-42b3-a42b-ce86bd714995%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACdeXiLrvhe0dP9Rg%3DW25O-7_-LVV_93n9T5%2BV0cq%3DocuzxjXg%40mail.gmail.com.
In the second case, query domain for "proxysg" returns the following
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: proxysg
dynamic_upgrade_mode: STRICT
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1493133654.554964
dynamic_pkp_domain:
dynamic_pkp_include_subdomains:
dynamic_pkp_observed:
dynamic_spki_hashes:
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/d1ccc1c3-fd37-45b4-bad9-757d62e1a977%40chromium.org.
When a user without an existing login session to the proxy accesses any HTTP site, the proxy redirects the request to http://proxysg, by spoofing the server and issuing a 302. The browser follows that redirect and makes a direct connection to the host proxysg:80. On affected machines, it's this connection that Chrome seems to consider subject to HSTS, redirecting it to https://proxysg.
I'll do some testing with the next instance I find and try to get a net-internals log.
- D
I'm still at a loss how that entry is populated into the HSTS cache when the proxy does not provide an HSTS header when users directly access it for authentication.
- D
- D
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/f02cb411-0dea-4d83-ab18-49dadd42731c%40chromium.org.
Agreed. then again, if I knew under what conditions the entry would find its way into Chrome's HSTS cache, I wouldn't be here :-)
> While this certainly could be an obscure Chrome bug, in more than 9 times out of 10, when people roll their own server and a browser breaks, it's a problem with the custom server.
The proxy is a Blue Coat Proxy ASG (now a Symantec product), so not home-rolled, but a commercial HTTP proxy with 15+ years of production in large corporate environments. I've brought this issue to Blue Coat support, but they're clueless about it.
Until I can catch the transition behavior in the wild, this will likely remain a mystery. I'm here looking for clues and hints that might lead me to a narrower set of conditions for that behavior.
Thanks
- D