Nov 27, 2010

Chrome Behavior Confirmed, FF Checked With HSTS Add-On

Both Google and Mozilla have been very responsive in the discussion on HSTS behavior for non-default ports.

Chrome Behavior Confirmed
Adam Langley from Google confirmed that Chrome doesn't enforce HSTS for non-default ports:

From the write up you appear to be using a non-default HTTP port
(8080). That doesn't trigger rewriting in Chromium:

if (scheme == "http" &&
     (request->url().port().empty() || port == 80) &&
     request->context()->transport_security_state() &&
     request->context()->transport_security_state()->IsEnabledForHost(
         &domain_state, request->url().host())) {

I understand that the draft may be updated to cover this case in the
future, in which case the code will also be updated.


AGL


Firefox Nightly Behavior Checked With HSTS Add-On
Daniel Veditz asked me to use Sid Stamm's Firefox add-on for HSTS:
https://addons.mozilla.org/en-US/firefox/addon/246797/

I installed it, accessed https://www.paypal.com to see that it showed up in the list which it did. But my site does not show up when I surf to it:


So we're now trying to find out if this is because of any of the following:
  • Non-default port 8443
  • Self-signed SSL certificate added as a permanent security exception in Firefox
  • Domain john.com resolves to 127.0.0.1 on my machine via /etc/hosts

Stay tuned :).

No comments:

Post a Comment