Closed
Bug 774769
Opened 12 years ago
Closed 9 years ago
strict transport security can be defeated by using a FQDN
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
DUPLICATE
of bug 1065909
People
(Reporter: keeler, Unassigned)
Details
Say a user visits "https://example.com" and receives an sts header. If they later visit "http://example.com.", their connection will not be upgraded to https. For a real-world example, try with "www.cert.se".
Comment 1•12 years ago
|
||
well, ok, but internally Gecko treats the two as completely different domains. "example.com." will not share cookies, auth, or anything with "example.com".
I guess you could fool someone into logging in? Of course you'd have to completely intercept and re-route all their communication, because once they connect to the real "example.com." then that version, too, will have the STS upgrade applied on subsequent connections.
Comment 2•12 years ago
|
||
I'm not convinced this is a real issue, but if it is it's probably inherent to the spec so I'm unhiding the bug.
Group: core-security
Comment 3•10 years ago
|
||
An attack would be tricking the user into clicking a http://google.com./ link from a wireless hotspot promising free wireless for sharing their email and actually serving up content that ends up stealing their credentials.
Comment 4•10 years ago
|
||
I stumbled across this bug while searching for something else and it explains what I thought was a failure of HSTS.
I have my bookmarks/favorites/shortcuts set to use https but sometimes there are links from other sources that don't. I've noticed that sometimes I click on an http link to a site that uses HSTS and http appears briefly before changing to https. Since my bookmarks go directly to https and I may have never visited the http site or it may have been so long ago it's past the STS setting TTL.
I wish the setting applied at the domain level regardless of http or https. Ideally I'd like the ability to manage the setting per site like in bug 572803.
Comment 5•9 years ago
|
||
This seems to bug 134402.
Comment 6•9 years ago
|
||
Unless I'm misunderstanding something, the immediate issue here seems to have been fixed in Bug 1065909.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•