17Oca
HTTP-fallback and site settings in Chrome?
I am testing a deep packet inspection based application to block certain undesirable websites in a corporate network, eg gambling - williamhill.es . We do this by matching ServerName (HTTPS) or Host (HTTP) in TLS ClientHello against a list of domains and sending a TCP reset to close the session.
My test environment is Google Chrome (v132.x), Windows 11 client connected to an upstream device which routes all traffic and does DPI as well. Note that this device is not terminating any connections / doing any proxying, it is only inspecting pass-through traffic.
I ran two types of tests to verify application behaviour :
- First, I ran with client traffic routing via my device and opened the website for the first time. I observed multiple ClientHello requests which were dropped with TCP reset. Then I saw a fallback to a HTTP request.
- Then, I used a different uplink on the client and opened the website in the browser. This would cache site settings. Then I changed the uplink and launched the website again with app configured to block HTTPS, and this time the TLS handshake did not go through. However, I did not see any HTTP request.
So here are my queries:
- The first test ensured TLS handshake never completed, i.e. HTTP transactions would not have gone through and Chrome would not know of site settings. Then why did Chrome fallback to HTTP? Is there a setting for this? Is there a max-timeout or max-attempts?
- I was under the assumption a website falls back to HTTP if it does not have HSTS policies. For eg, williamhill.es does not. I also checked chrome://net-internals/hsts query and nothing shows up. In that is the only possibility, then what caused a change in behavior in the second iteration ? (i.e when the website was allowed to load and store site data)
- Is there a way to check site settings cached locally? Any file / extension etc? I know I can run with DevTools in an active tab. But for my application I would find it useful to understand behavior at a later point in time too when the site is being reopened.