HSTS preload lists in Debian's Chromium, Firefox, and IceCat packages

To: debian-user@lists.debian.org
Subject: HSTS preload lists in Debian's Chromium, Firefox, and IceCat packages
From: Sam Kuper <sam.kuper@uclmail.net>
Date: Mon, 10 Jul 2017 19:36:17 +0100
Message-id: <[🔎] CAD-JurK2V30iu-TkQanFY0RgyZ=KsdAitEkV4WH3mg6OA_ehjA@mail.gmail.com>

Have I found a bug in Debian Jessie's package for Chromium?


## Preamble

IIUC, both Chromium and Mozilla Firefox ship with a list of domains
with which they will never communicate via HTTP, always preferring to
use HTTPS instead. These lists are based upon Google Chrome's "HSTS
Preload List".[1][2]


Google says[3] that in Chrome, one can query the browser's HSTS
Preload List contents by navigating to:

chrome://net-internals/#hsts

AFAICT, this is also true in Chromium.


The Chromium project states that Chromium's list is this one, here:[1]

https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json


## Steps to reproduce

- Visit the list at
https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
.

- Pick a domain from that list (e.g.  whonix.org ).

- In an up-to-date installation of Debian Jessie, install the Chromium
package if you have not already done so (e.g. via `sudo apt-get
install chromium`).

- Run that Chromium instance, and navigate to chrome://net-internals/#hsts .

- In the resulting page's "Query domain" section, enter a domain from
the list above (e.g. whonix.org ) into its text box and press the
"Query" button.


## Observed result

- The text "Not found" is shown below the text box.


## Expected result

- The text "Found" would be shown below the text box, probably along
with some information about the HSTS implementation for that domain.


## Postamble

I have several questions:

1. Is the observed result intended behaviour in Debian? I.e. does
Debian, when packaging Chromium, disable the HSTS Preload List
intentionally?

2. Where on a Debian Jessie system would Chromium's HSTS Preload List be found?

3. Does Debian's Firefox ESR package ship with an HSTS Preload List,
and if so, where can this be found?

4. Does Debian's GNU IceCat package ship with an HSTS Preload List,
and if so, where can this be found?


Please CC me in your reply, as I am not currently subscribed to the
debian-user list.

Many thanks!



[1] https://www.chromium.org/hsts/

[2] https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

[3] https://hstspreload.org

Reply to:

Prev by Date: delete my email !
Next by Date: is there package that convert qr code to url?
Previous by thread: delete my email !
Next by thread: is there package that convert qr code to url?
Index(es):
- Date
- Thread