HSTS preload flaw

Hi,

I reported a bug that found HSTS not present for .app, .dev and several
other TLDs in Safari on all operating systems, as well as Chrome, Firefox,
and Edge on iOS.

https://bugs.webkit.org/show_bug.cgi?id=202925 [perhaps still private]

Google made the issue public about a month ago without asking me:
https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44

A commenter on the Chromium bug maintains that this issue is not a bug.
However, this issue was responsibly reported, and fixed in iOS 13.3 and
contemporaneous releases on other operating systems:

https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes

It wasn't exactly a clever exploit (I noticed a .app ___domain that shouldn't
have loaded over http), but perhaps there should be more careful monitoring
of HSTS preload lists. At least 600k domains were impacted.

thanks,
Rob

Received on Saturday, 8 February 2020 01:03:51 UTC