hstspreload icon indicating copy to clipboard operation
hstspreload copied to clipboard

Published 20 hours ago verified publisher icon chromium

Don't require internal redirects before redirecting to HTTPS

Open konklone opened this issue 8 years ago • 5 comments

The HSTS preload checker currently requires an internal redirect before an external redirect:

screenshot from 2016-08-22 16-05-16

In this case, the domain in question (greengov.gov) always redirects immediately to https://www.whitehouse.gov/greengov/, whether it's accessed over HTTP or HTTPS, or at www or the base of the domain.

There is an obvious performance hit, and there are no security benefits I can think of to requiring the domain to internally redirect before externally redirecting, other than causing the client to cache the HSTS policy on the way through the double-redirect. However, since this scan is for the purpose of preloading the domain, this isn't really relevant -- once the domain is preloaded, there will be no security benefit to forcing clients to go through that redirect.

I think it should be sufficient that a domain's HTTP endpoints redirect immediately and consistently to HTTPS throughout the redirect chain this tool measures, whether or not these redirect locations are internal to the requested hostname or not. This would allow "redirect domains" like greengov.gov to maintain their performance properties while achieving the same level of functional security as other domains.

konklone avatar Aug 22 '16 20:08 konklone

I'm happy to remove this requirement as soon as we have a solution in place for https://crbug.com/626180

lgarron avatar Aug 22 '16 21:08 lgarron

@lgarron Got it -- I commented on the bug: https://bugs.chromium.org/p/chromium/issues/detail?id=626180#c7

konklone avatar Aug 23 '16 04:08 konklone

Not sure who's triaging these issues, though cc @ericlaw1979 in case he's interested. This remains a requirement that is causing some domains to not maintain preload eligibility as external redirects are setup.

For example, dotgov.gov is now no longer eligible, because http://dotgov.gov now redirects to https://home.dotgov.gov directly. While it's certainly not impossible to configure an intermediate redirect, see my comments above for the performance/complexity hit for a security gain that shouldn't be that significant once preloading is completed.

konklone avatar Mar 19 '18 18:03 konklone

+@nharper. I'm not opposed to removing the current same-host redirection requirement.

ericlaw1979 avatar Mar 19 '18 23:03 ericlaw1979

I'm still opposed to it until we fix https://crbug.com/626180 , especially given that Safari is now moving farther away from supporting cross-domain HSTS without direct navigation. :-/

lgarron avatar Mar 20 '18 00:03 lgarron