New issue
Advanced search Search tips

Issue 107845 link

Starred by 9 users

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.


Show other hotlists

Hotlists containing this issue:
Hotlist-1
Hotlist-1


Sign in to add a comment

Receiving error "Security certificate is signed using a weak signature algorithm" when using a corporate proxy

Reported by blaquewr...@gmail.com, Dec 16 2011

Issue description

Since build 5639 of chromium, I get SSL errors for any sites attempting to use SSL encryption.

If I revert back to 5638 & clear out %userprofile%\Local Settings\Application Data\Chromium\User Data, it all works fine again.

http://build.chromium.org/f/chromium/snapshots/Win_Webkit_Latest/5639/

http://build.chromium.org/f/chromium/snapshots/Win_Webkit_Latest/5639/changelog.xml

Guessing it was this change,

When encountering certificates signed with md2/md4, make it a fatal error. When encountering certificates signed with md5, interstitial the page with an error about md5 being a weak signing algorithm. This excludes checking the signatures of root certificates (trust anchors), as their self-signed signatures are not relevant to the security of the chain. R=wtc@chromium.org BUG= 101123  Review URL: http://codereview.chromium.org/8374020

While the security improvement makes sense, is there any option to disable the check or is it just up to sites to update their cert signing?
 
GoogleSSLError.JPG
80.4 KB View Download
FacebookSSLError.JPG
80.3 KB View Download
EDIT: Should have said certificate errors instead of SSL errors in description & attachments.

Comment 2 by mmenke@chromium.org, Dec 16 2011

Cc: rsleevi@chromium.org
Labels: -Area-Undefined Area-Internals Internals-Network-SSL

Comment 3 by agl@chromium.org, Dec 16 2011

Is there something special about your setup, i.e. a MITM proxy?

The patch certainly wasn't intended to break major sites and it doesn't cause problems for either https://www.google.com nor https://www.facebook.com for me.

If you click the padlock on the certificate error page, who does it say is signing the certificates for those sites?
Certs are by Microdasys Root CA so it may me a proxy issue.
FacebookCert.JPG
26.1 KB View Download
GoogleCert.JPG
25.8 KB View Download

Comment 5 by agl@chromium.org, Dec 16 2011

Owner: agl@chromium.org
Status: Assigned
Ok, I'll try and contact Microdasys - thanks for the report. (I assume that you're on a corporate machine as private root CAs shouldn't work unless they have been specifically configured.)

In the mean time, the dev channel should work to get you back online.

Comment 6 by agl@chromium.org, Dec 16 2011

Cc: -rsleevi@chromium.org palmer@chromium.org
Cc: rsleevi@chromium.org
agl: This does seem me, not palmer. Palmer's change would be ERR_CERT_WEAK_KEY, but this corresponds to ERR_CERT_WEAK_SIGNATURE_ALGORITHM.

Depending on how frequently we think this to appear, we could adopt a similar posture as some of the pinning errors - only make weak sig algs troublesome for certs chaining to an "OS root". But I'd like to avoid that, if possible, as the interstitial/error serves an evangelism purpose as much as a security purpose.

Comment 8 by wtc@chromium.org, Dec 16 2011

Yes, we should try to contact Microdasys first.  We have a lot of time
before Chrome 18 arrives on the Beta chanel.
Summary: Receiving error "Security certificate is signed using a weak signature algorithm" when using a corporate proxy

Comment 10 by agl@chromium.org, Dec 20 2011

I've received no reply from the email that I sent to Microdasys and all their listed phone number have been disconnected. I think it's a dead company so it's unlikely that we're going to get them to update anything.
Do we all agree that this error is true, that we should not special-case private root CAs for the weak key problem, and that since Microdasys appears to be dead, the bug reporter's company should get a new MITM proxy or try to set a new root cert that uses a modern signing algorithm?

If we do all agree, we should mark this bug WontFix (working as intended).

Comment 12 by agl@chromium.org, Dec 20 2011

Status: WontFix
palmer: I think that's probably the case, although I don't feel great about it. None the less I'd like to watch to see how big an impact it will have.

But, for now, I agree that it's probably a WontFix.

Comment 13 by wtc@chromium.org, Dec 20 2011

Labels: Mstone-18
palmer: marking this WontFix is fine by me.

Re: your comment 11: getting a new root CA cert won't help.  It is
the signature algorithm used by the root CA that matters.

blaquewraith: can you find out if the Microdasys proxy can be configured
to sign certificates using SHA-1 instead of MD5?

Comment 14 by agl@chromium.org, Dec 21 2011

Microdasys actually got back to me (it seems that they aren't completely dead after all) and reported that they'll be updating their product to sign with SHA-1.
Apologies for delay in replying, I was away over the holidays.

Thanks for investigation, will stick with build 5638 until we get an update for the proxy.

Comment 16 by Deleted ...@, Apr 21 2012

RSA-MD2 is not weak when the key length is long enough.  This is a bogus message, debate on whether to use DSA vs RSA is mute.  Please remove this warning, it is next to useless unless the RSA key is too short and there is little chance of that these days.

Comment 17 by Deleted ...@, Jun 12 2012

My name is Claudette Moran, and this same exact problem occured on my Google Chrome as well!:( I am NOT able to log into my gmail, hotmail,or Facebook accounts in anyway, shape or form!:( Since my sister is the one that is paying of the internet service of Clearwire from her laptop, she claims tghat there is NOTHING WRONG with the PC my mother and I use, which is separate from her laptop. I have limited time to check the SSL certificate, much less remove and put back Google Chrome as a separate icon to use. Every time that I clicked on the red padlock, it states that the SSL certificate is fine. It states that it's an scha5. What do I need to do to change this, as I am NOT a computer programer. My younger brother is, but he has no time whatsoever to change the SSL/HTTPS certificate.PLEASE HELP!

Comment 18 by agl@chromium.org, Jun 12 2012

claudettemoran: it sounds unlikely that you're using a corporate proxy at home.

This is more likely to be the fault of firewall/anti-virus software that's trying to intercept HTTPS traffic. If you go to https://mail.google.com and click the padlock, the top of the dialog should say "The identity of this website has been verified by ...". The name that follows might give a hint about which software is causing the problem.

Otherwise, try configuring any anti-virus or firewall software not to scan within HTTPS connections.

Comment 19 by Deleted ...@, Jun 12 2012

Thank you. I will try that. No, I am at the library, so  I was able to log on to my gmail account there. Thanks.
Project Member

Comment 20 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Internals-Network-SSL -Mstone-18 Cr-Internals-Network-SSL M-18 Cr-Internals
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment