Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be)

Posted by msmash on from the their-road,-their-rules dept.

Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:

This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },
It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

29 of 220 comments (clear)

  1. Maybe...? by cayenne8 · · Score: 4, Insightful

    Maybe use browser other than Chrome??

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    1. Re:Maybe...? by Z00L00K · · Score: 4, Interesting

      All the strive to force users to go https has gone over the top. It's better to be nice about it.

      Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

      Keep the https available for cases where users want to get the extra security. Assuming that users are stupid makes the users stupid.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Maybe...? by ArhcAngel · · Score: 3, Informative

      Might I suggest Waterfox? It's based on the current Firefox code but strips out the tracking and puts NPAPI plugins back. It runs on Windows, Mac, and Linux. No mobile version yet.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    3. Re:Maybe...? by WaffleMonster · · Score: 3

      That's pretty narrow-sighted. http protects users from malicious intent by man-in-the-middle attacks such as injection by their ISP. HTTPS should be everywhere and the faster we get there the better

      Encryption requires PERMISSION and thus serves as yet another point of leverage for those wishing to assert censorship over content and entities they don't like.

      HTTPS as a destination is laughable... there are hundreds of entities .. some straight up state run by hostile governments with ability to generate keys seen as legitimate globally by the worlds population of web browsers. Better than nothing but hardly what I would deem to be anything approaching trustworthy or secure.

      Ends don't justify means. A desire to reduce MITM opportunities does not justify forcing people to use https if they don't want to.

    4. Re:Maybe...? by swillden · · Score: 2

      Many sites don't need https since there's not much to protect in the communication when people just look at memes and pictures of cats.

      You're making the common error of believing that the purpose of TLS is to protect the secrecy of the content stream, but that's only one half of it, and in most cases the less important half. The other goal is to ensure the integrity of the content stream, not because your cat pictures are important but because browsers are too big and too complex to secure effectively. TLS ensures that no one can inject anything malicious (or even anything annoying) into your stream of cat pictures. Of course, the site you're getting the pictures from could be malicious (and/or annoying), but with TLS you only have to worry about the origin site, not every network hop between it and you.

      Oh, you also have to worry about entities capable of and willing to create bogus site certificates. That's an inherently self-limiting problem, though, because unless it's kept very rare, use of bogus certs will be noticed and the compromised root certs stripped from browsers. Entities who do those sorts of attacks have to limit their use to specific, important cases.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Maybe...? by fuzzyf · · Score: 3, Informative

      Http means anyone can inject BeEF hooks in your browser sitting at the local Starbucks. No matter how unimportant yyour content might be.

      http://beefproject.com/
      It's so easy you can do it with a phone using an app like dSploit.

      Http used to be ok, today every scriptkiddie has access to tools that will pwn any browser with a mitm attack.
      Also, any http security header you might add from your site is useless without https.

    6. Re:Maybe...? by Luthair · · Score: 3, Interesting

      I think you missed a key point - Google bought the .dev TLD and their intended usage is only their own projects. So what they're doing here is asserting that all their dev domains will be encrypted.

      The issue here is iCANN shouldn't have been dumb enough to grant a TLD that has been widely used internally, but unfortunately they have a financial incentive to hawk as many TLDs as possible.

    7. Re: Maybe...? by sound+vision · · Score: 2

      I don't care if they mitm my porn, music stream, or cat video. And if the ISP is acting maliciously you are fucked anyway. The right place to address that is in a courtroom or legislative body.

  2. Switch to .test by Anonymous Coward · · Score: 5, Insightful

    .test is an IETF standard for this purpose. .dev never was. Google own .dev, and they own Chrome, so they are perfectly welcome to do this. We could argue as to whether a browser that enforces per-domain protocols is truly adhering to browser standards (and the larger ramifications if every browser coder started doing the same), but accept that you have zero right to use .dev as your personal fiefdom and move on to something that will remain easier for you to maintain.

    1. Re:Switch to .test by Anonymous Coward · · Score: 2, Insightful

      dev != test != prod

    2. Re:Switch to .test by grub · · Score: 3, Insightful

      NEEDS MOAR AGILE!!!11````

      --
      Trolling is a art,
  3. Please see RFC6761 by mysidia · · Score: 4, Informative

    .invalid and .localhost are already reserved for private usage.

    1. Re:Please see RFC6761 by mysidia · · Score: 2

      Until .invalid gets auctioned to a bidder

      They cannot be; RFC6761 is a compulsory standard to the DNS and specifies these names as permanently reserved.

  4. .localhost TLD? by TheRealMindChild · · Score: 3, Informative

    And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds

    Cmon, we aren't talking some crazy complicated configuration here. DNSMasq: add "address=/localhost/127.0.0.1" to your config file. Boom. Done.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    1. Re:.localhost TLD? by grub · · Score: 2

      I showed my 11 year old daughter your sig. She smiled and said "That's awesome! I'm going to get my engineers to make a combustible lemon that burns your house down!"

      --
      Trolling is a art,
  5. I just don't understand the hatred for devs... by Anonymous Coward · · Score: 3, Interesting

    that Google has. They already broke the "-ignore-certificate-errors" flag which was driven by their hate. I often have to change my clock for testing, and Google made the decision that I should not be allowed to use the web. We use Let's Encrypt certs that area also pretty hatefully limited to 90 days so they waste so much of our time having to maintain them, so you can't move your clock that far forward or backward before Google decides you shouldn't be able to work.

    1. Re:I just don't understand the hatred for devs... by Anonymous Coward · · Score: 2, Interesting

      They also decided to break --disable-web-security which they had previously supported for years. They even broke it in Content Shell which is used only for headless testing, which makes no sense unless they just don't want us to use Chrome for development.

  6. What should you do? by viperidaenz · · Score: 4, Insightful

    How about: Don't use a gTLD for your local DNS?

    Also, why are you doing web development without HTTPS unless you're planning on never using it? It's not like certificates cost anything. There's also nothing stopping you loading your own CA cert and signing your own certificates too.
    Browsers behave differently based on the protocol. Building against one set of rules and deploying against another is just asking for problems.

  7. Re:Yeah by scdeimos · · Score: 3, Insightful

    You should be using .test domains - that's recommended practice by W3C https://tools.ietf.org/id/draf....

    The .dev domains, on the other hand, are valid gTLD and are owned by Google. It's not surprising that Google wants to force HTTPS on a gTLD that they own.

  8. HTTPS everywhere is all well and good... by brantondaveperson · · Score: 4, Interesting

    But it's a real pain for anything that you ship with a web interface, and expect to work unmodified for a long period of time.

    Sure, that's a niche use-case, I get that, but not everything that's accessed by a web browser is something easily updated, and why should it be? If I build some device that's intended to be put on my local network, and give it a web interface, - like, say, a home router - will I be required to implement HTTPS on the device, and have it ship with a cert? A cert that expires after a relatively short period of time?

    I happen to have an old computer lying around the house, and it can't run anything more modern than Chrome from about eight years ago. This browser is able to access anything on the web, other than newer HTTPS sites, because it doesn't understand their certificate. By building these mechanisms of trust, and then constantly changing them (for instance, change from Common Name to Subject Alternate Name - and whatever it is that old Chrome hates about modern certs), we are locking ourselves out of notions of backwards compatibility, and increasing the rate at which we have to throw away our devices, because we can't afford to release OS updates for old hardware, and can't afford to release browser updates for old OSs.

    I get that we're talking about security here, and trust, but I personally see a high cost. Plain HTTP is great. HTTPS is a moving target, and seems like it will remain so.

  9. The requirement to own and renew a domain by tepples · · Score: 3, Informative

    Web browsers require HTTPS server operators to obtain a fully-qualified domain name and a certificate from a certificate authority trusted by the browser publisher. Though Let's Encrypt makes certificates available without charge to domain owners, the domain itself still requires a recurring payment to a third party. The requirement to own a domain and keep it renewed imposes an extra $15 per year (source: Gandi.net) tax on running a server inside a home LAN.

    1. Re:The requirement to own and renew a domain by swillden · · Score: 2

      Web browsers require HTTPS server operators to obtain a fully-qualified domain name and a certificate from a certificate authority trusted by the browser publisher. Though Let's Encrypt makes certificates available without charge to domain owners, the domain itself still requires a recurring payment to a third party. The requirement to own a domain and keep it renewed imposes an extra $15 per year (source: Gandi.net) tax on running a server inside a home LAN.

      In a home LAN you can just use a self-signed certificate and add the cert to your browsers' trust stores. Or just use plain HTTP, since you don't have any concern about malware injection. If you want a domain name you can use for free locally, you can use the .invalid or .localhost TLDs, though that's orthogonal to the question of TLS.

      But your issue is really unrelated to whatever WaffleMonster was talking about, because the discussion was about a context in which ISPs, et al, could do injection attacks, not a home LAN.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:The requirement to own and renew a domain by JohnFen · · Score: 3, Informative

      In a home LAN you can just use a self-signed certificate and add the cert to your browsers' trust stores.

      Yes, this.

      You can even, for complex home environments, run your own CA, install your own CA's cert and then use it to sign individual certs all day long without further hassle.

      The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services and don't want to require them to install a special cert to do so.

    3. Re:The requirement to own and renew a domain by Trax3001BBS · · Score: 2

      The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services and don't want to require them to install a special cert to do so.

      Or you wish to install programs win10 disallows https://stackoverflow.com/ques...

    4. Re: The requirement to own and renew a domain by ElizabethGreene · · Score: 2

      Anti-FUD: Test signing mode will allow you to run code signed with a private cert, even a self-signed one made with MakeCert.exe. It puts a test mode watermark in the corner of the screen, but that's okay for Dev use.

      https://docs.microsoft.com/en-...

      Answering the obvious "WTF" question, driver signing has been a "should" since before XP. It's now a must because it's a malware/APT vector.

    5. Re: The requirement to own and renew a domain by tepples · · Score: 2

      Some specialized peripherals manufactured by hobbyists for hobbyists, such as tools to read and write cartridge storage media for retro 8- and 16-bit computers, are made in volumes is so low that the cost per year of obtaining and renewing an EV code signing certificate as well as the documents that the EV code signing CA requires would make up a substantial portion of the selling price. Is there a practical way to make low-volume peripherals compatible with 64-bit Windows? Would it be advisable for the manufacturer of such a low-volume peripheral to require users of the device in production to enable test mode? Or would it be more advisable to bundle a USB flash drive containing a GNU/Linux live distribution into which users are expected to reboot?

  10. Chrome-for-iOS is Chrome in name only by tepples · · Score: 2

    Chrome doesn't run on iOS either. Instead of Chrome, Google publishes Chrome-for-iOS. The difference between Chrome and Chrome-for-iOS is that while Chrome uses the Blink engine, Chrome-for-iOS uses the same Apple WebKit engine as Safari, as required by the App Store Review Guidelines. This means that if Apple declines to support a particular web API in Safari, it'll be unsupported in Chrome-for-iOS as well.

  11. That gives me an idea by watermark · · Score: 2

    This gives me an idea. gTLD wide HSTS should be done for some other gTLD as well. I'm thinking like *.bank and the like. It just forces any user of that gTLD to be at least somewhat security conscience and adds some good public reputation to those select gTLD. A private company that owns a gTLD could use this to increase the value of their gTLD because it will have a reputation of being more secure.

  12. NOPE by cfalcon · · Score: 4, Informative

    Modded +5, Informative, but both of its statements are inaccurate. .localhost is reserved for 127.0.0.1 and no other thing. .invalid is reserved for NO use, it should never resolve.

    https://tools.ietf.org/html/rf...

    Localhost:
    Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s).

    Invalid:
    Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses. Name resolution APIs SHOULD NOT send queries for "invalid" names to their configured caching DNS server(s).

    Neither of these are meant for use on a local internet. .localhost is meant to resolve to loopback, and .invalid is meant to never resolve but instead give NXDOMAIN.

    Maybe there are domains reserved for private usage, but it ain't these two.