Skip to content

craSH/Chrome-STS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 

Repository files navigation

chrome_sts_manager.py

A little tool to add/delete/query entries from Chrome's STS cache

Handy for adding hosts to it like Facebook, twitter, etc. Do not add hosts to the STS cache that don't support HTTPS. They will break. Do not use this unless you are very familiar with HSTS!

Requires a restart of Chrome to load the updated file.

Copyleft 2010 Ian Gallagher crash@neg9.org

Usage: chrome_sts_manager.py [options] domain/hostname

Options:
  -h, --help            show this help message and exit
  -a, --add             Add/update a host to the STS cache
  -d, --delete          Delete a given host from the STS cache
  -s INCLUDE_SUBDOMAINS, --include-subdomains=INCLUDE_SUBDOMAINS
                        Include subdomains
  -m MAX_AGE, --max-age=MAX_AGE
                        Maximum age entry will be cached (seconds)
  -p PATH_OVERRIDE, --sts-cache-path=PATH_OVERRIDE
                        Manually specify the path to Chrome/Chromium's
                        TransportSecurity file
  -v VERBOSITY, --verbose=VERBOSITY
                     Verbosity/debug level. 0 (errors only) - 3 (debug)

Example usage (Adding facebook.com and all subdomains)

This adds facebook.com and all subdomains to Chrome's STS cache for one year. This breaks Facebook chat and probably apps, if you care about those things:

$ ./chrome_sts_manager.py -a facebook.com -s
INFO: Added/updated STS Entry for 'facebook.com': {"7QzmF0xxCtHTEKYxqWspZY5pl1F0B90+PraFnPulnH8=": {"expiry": 1321272174.509285, "include_subdomains": true, "mode": "strict", "created": 1289736174.509285}}
INFO: Executing autocommit of STS state file
INFO: Sucessfully wrote STS state to file '/Users/crash/Library/Application Support/Google/Chrome/Default/TransportSecurity'

chrome_sts_reverse.py

A little proof of concept script to reveal hosts stored in STS cache (which are SHA256 hashed)

The hashing of hostnames in Chrome's STS cache is not useful from a security perspective, it's trivial to look these up based on your own browsing history and the Alexa top 1,000,000 sites list. That is what this script does. This is not amazing by any means, most users will have all their STS entries present in the normal browser history, so I don't see that there's much of a leak here. It's really just an annoyance when trying to deal with the STS cache :)

Example usage (You must have the Alexa top 1m sites file downloaded + unzipped)

$ python chrome_sts_reverse.py
# Chrome/Chromium STS Privacy Leak PoC
# Look up STS hosts based on precomputed hashes of your own browsing history + Alexa Top 1,000,000 domains
+ Downloading http://s3.amazonaws.com/alexa-static/top-1m.csv.zip ...
+ Hashing and caching Alexa top 1,000,000 domain hashes, this may take about a minute...
Matched STS host entries:
    Accessed: Fri Nov  5 17:11:47 2010 - calomel.org
    Accessed: Fri Nov  5 17:33:37 2010 - neg9.org
    Accessed: Sun Nov 14 02:42:21 2010 - www.paypal.com
    Accessed: Fri Nov  5 17:16:52 2010 - www.noisebridge.net

Unmatched STS host hashes:
    Accessed: Sun Nov 14 15:28:51 2010 - rKLF0Hae9LVGc224j1/caNj/mw10uyYWv7QkStDh9gU=
    Accessed: Sun Nov 14 04:00:23 2010 - vnGyNm8Ca0otQ0Xeju02z1ytnWf4cDxFBqUcQJ77lpg=

About

Various little Chrome STS hacks

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages