search

pfn / passifox

Extensions to allow Chrome and Firefox (4.0+) to auto form-fill passwords from KeePass (requires KeePassHttp)
GNU General Public License v3.0
905 stars 185 forks source link

ChromeIPass: HSTS Issues #425

Open oct3net opened 9 years ago

oct3net commented 9 years ago

It seems that the most recent versions of Google Chrome cause ChromeIPass to stop working due to HSTS implementations. In short, if I was to open a webpage over HTTPS at url https://localhost/ then all subsequent requests to localhost are redirected to HTTPS if they are not already doing so.

I'm looking into some workarounds for this at the moment (aside from continuously purging localhost from chrome://net-internals/#hsts) but if anyone can beat me to a solution then all-the-better I say.

Alternatively, we could implement HTTPS functionality in KeePassHTTP but I'm not sure which will require less work let alone which is actually feasible.

ChromeIPass XMLHttpRquest with Google Chrome running under standard parameters:

t=171682 [st=0] +REQUEST_ALIVE  [dt=1]
t=171682 [st=0]    URL_REQUEST_DELEGATE  [dt=1]
t=171683 [st=1]   +URL_REQUEST_START_JOB  [dt=0]
                   --> load_flags = 106752 (IGNORE_LIMITS | MAYBE_USER_GESTURE | REPORT_RAW_HEADERS | VERIFY_EV_CERT)
                   --> method = "POST"
                   --> priority = "HIGHEST"
                   --> upload_id = "0"
                   --> url = "http://localhost:19455/"
t=171683 [st=1]      URL_REQUEST_REDIRECT_JOB
                     --> reason = "HSTS"
t=171683 [st=1]      URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
                     --> HTTP/1.1 307 Internal Redirect
                         Location: https://localhost:19455/
                         Non-Authoritative-Reason: HSTS
                         Access-Control-Allow-Origin: chrome-extension://ompiailgknfdndiefoaoiligalphfdae
                         Access-Control-Allow-Credentials: true
t=171683 [st=1]      URL_REQUEST_DELEGATE  [dt=0]
t=171683 [st=1]      CANCELLED
t=171683 [st=1]   -URL_REQUEST_START_JOB
                   --> net_error = -3 (ERR_ABORTED)
t=171683 [st=1]    URL_REQUEST_DELEGATE  [dt=0]
t=171683 [st=1] -REQUEST_ALIVE

ChromeIPass XMLHttpRquest with Google Chrome running with the --disable-web-security parameter:

t=1870 [st=0] +REQUEST_ALIVE  [dt=4]
t=1870 [st=0]    URL_REQUEST_DELEGATE  [dt=0]
t=1870 [st=0]   +URL_REQUEST_START_JOB  [dt=4]
                 --> load_flags = 98560 (IGNORE_LIMITS | MAYBE_USER_GESTURE | VERIFY_EV_CERT)
                 --> method = "POST"
                 --> priority = "HIGHEST"
                 --> upload_id = "0"
                 --> url = "http://localhost:19455/"
t=1870 [st=0]      URL_REQUEST_DELEGATE  [dt=0]
t=1870 [st=0]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=1870 [st=0]      URL_REQUEST_DELEGATE  [dt=0]
t=1870 [st=0]     +HTTP_STREAM_REQUEST  [dt=1]
t=1870 [st=0]        HTTP_STREAM_REQUEST_STARTED_JOB
                     --> source_dependency = 2516 (HTTP_STREAM_JOB)
t=1871 [st=1]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                     --> source_dependency = 2516 (HTTP_STREAM_JOB)
t=1871 [st=1]     -HTTP_STREAM_REQUEST
t=1871 [st=1]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=1871 [st=1]        HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                     --> POST / HTTP/1.1
                         Host: localhost:19455
                         Connection: keep-alive
                         Content-Length: 54
                         User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
                         Origin: chrome-extension://ompiailgknfdndiefoaoiligalphfdae
                         Content-Type: application/json
                         Accept: */*
                         Accept-Encoding: gzip, deflate
                         Accept-Language: en-US,en;q=0.8
t=1871 [st=1]        HTTP_TRANSACTION_SEND_REQUEST_BODY
                     --> did_merge = true
                     --> is_chunked = false
                     --> length = 54
t=1871 [st=1]     -HTTP_TRANSACTION_SEND_REQUEST
t=1871 [st=1]     +HTTP_TRANSACTION_READ_HEADERS  [dt=3]
t=1871 [st=1]        HTTP_STREAM_PARSER_READ_HEADERS  [dt=3]
t=1874 [st=4]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                     --> HTTP/1.1 200 OK
                         Content-Length: 128
                         Content-Type: application/json
                         Server: Microsoft-HTTPAPI/2.0
                         Date: Sat, 19 Sep 2015 09:08:38 GMT
t=1874 [st=4]     -HTTP_TRANSACTION_READ_HEADERS
t=1874 [st=4]      URL_REQUEST_DELEGATE  [dt=0]
t=1874 [st=4]   -URL_REQUEST_START_JOB
t=1874 [st=4]    URL_REQUEST_DELEGATE  [dt=0]
t=1874 [st=4]    HTTP_TRANSACTION_READ_BODY  [dt=0]
t=1874 [st=4]    URL_REQUEST_JOB_BYTES_READ
                 --> byte_count = 128
t=1874 [st=4]    HTTP_TRANSACTION_READ_BODY  [dt=0]
t=1874 [st=4] -REQUEST_ALIVE
oct3net commented 9 years ago

It seems that an HSTS API has been requested but no progress has been made on it thus far. Implementing HTTPS support in KeePassHTTP is probably the only option here aside from manually removing localhost from the HSTS cache every time a user opens a page over HTTPS that's hosted on the local machine.

pfn commented 9 years ago

https will not be added to keepasshttp. The whole reason it does its own crypto is to avoid all the issues of PKI on localhost. This may spell the end of chromeipass. (not as if I have been actively maintaining it though)

Sent from my phone On Sep 19, 2015 2:31 AM, "Jake W." notifications@github.com wrote:

It seems that an HSTS API has been requested https://code.google.com/p/chromium/issues/detail?id=313965 but no progress has been made on it thus far. Implementing HTTPS support in KeePassHTTP is probably the only option here aside from manually removing localhost from the HSTS cache every time a user opens a page over HTTPS that's hosted on the local machine.

— Reply to this email directly or view it on GitHub https://github.com/pfn/passifox/issues/425#issuecomment-141640450.

pfn commented 9 years ago

Oh, at the same time, accessing https on localhost is extremely rare.

If it is absolutely required for an app or proxy, one could alias localhost or go to any 127.0.0.XXX address (can also be named)

Sent from my phone On Sep 19, 2015 7:54 AM, "Perry Nguyen" pfnguyen@hanhuy.com wrote:

https will not be added to keepasshttp. The whole reason it does its own crypto is to avoid all the issues of PKI on localhost. This may spell the end of chromeipass. (not as if I have been actively maintaining it though)

Sent from my phone On Sep 19, 2015 2:31 AM, "Jake W." notifications@github.com wrote:

It seems that an HSTS API has been requested https://code.google.com/p/chromium/issues/detail?id=313965 but no progress has been made on it thus far. Implementing HTTPS support in KeePassHTTP is probably the only option here aside from manually removing localhost from the HSTS cache every time a user opens a page over HTTPS that's hosted on the local machine.

— Reply to this email directly or view it on GitHub https://github.com/pfn/passifox/issues/425#issuecomment-141640450.

oct3net commented 9 years ago

Another option would be to use Chrome's Native Messaging API but this would require a separate executable file, as the API communicates with a registered binary through STDIN/STDOUT.

Your idea about using a separate IP within the loopback range might work. I'll do some tests and see how well that works as an option.