New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 401365 link

Starred by 43 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug
Launch-Security: Yes

Blocked on:
issue 418321



Sign in to add a comment

Deprecate SHA-1 for certificates

Project Member Reported by rsleevi@chromium.org, Aug 7 2014

Issue description

SHA-1 is "broken", and needs to be deprecated.
CAs need to transition to stronger algorithms, such as SHA-2.
Microsoft will be disabling SHA-1 on 1/1/2017 ( https://technet.microsoft.com/en-us/library/security/2880823.aspx )

However, if CAs fail to transition to SHA-2, it may be difficult to disable SHA-1 on that date, especially if it will break large portions of the Internet (since they have not adopted). This was very true for MD5, which continued to be in widespread use by CAs, despite being provably broken (collisions), and despite YEARS of warning. It was not until Chrome and Safari outright disabled MD5 that progress began to be made.

Attempts at placing hard requirements on the validity period of SHA-1 certificates have stalled in the CA/Browser Forum, for a variety of reasons not worth discussing on this bug.

To help prepare site operators for a transition away from SHA-1, and to help encourage CAs to transition to SHA-2, we should not show secure UI indicators for SHA-1 certificates that extend beyond 1/1/2017.

CAs will still be able to issue SHA-1 certificates, but must set the cert expiration (notAfter) to be on-or-before 1/1/2017, ensuring the certificate MUST be rotated before that sunset date.
 
Cc: agl@chromium.org
Alternative proposal:
REJECT certs if they're valid beyond 1/1/2017 and signed with SHA-1
WARN for certs if they're expire between 1/1/2016 and 1/1/2017 and signed with SHA-1

Effectively, this sets the "soft" transition (e.g. degraded UI indicators) at 1/1/2016, and forces the "hard" transition at 1/1/2017

Note that 1/1/2017 is more of an upper-bound; we certainly can be more aggressive/proactive on this, and set it lower, as part of Chrome's cryptographic policies and what it views as acceptable security for the Internet.

Comment 2 by mkwst@google.com, Aug 7 2014

If you can pipe this down to Blink (or we move mixed content checking up the stack), we should also treat subresources protected by such certificates as insecure.
It'd be exposed on the CertStatus of the request, which is available on the Browser side, and is at least piped *through* Blink (AIUI) in order to handle Frame-level inspection

See https://code.google.com/p/chromium/codesearch#chromium/src/content/common/ssl_status_serialization.h&l=16

Comment 5 by bay...@gmail.com, Aug 7 2014

"Microsoft will be disabling SHA-1 on 1/1/2017 ( https://technet.microsoft.com/en-us/library/security/2880823.aspx )" 

Where's this from? The TechNet article in question says CAs must stop using SHA-1 to sign certificates by "January 1, 2016".
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

1/1/2016 is when CAs need to stop _issuing_ such certs
1/1/2017 is when Microsoft will _reject_ such cert.
RE comment #1, see https://bugzilla.mozilla.org/show_bug.cgi?id=942515 which gives some insight into what Gerv and others at Mozilla think about the idea of rejecting such certificates. IIRC from when I was there, others were supportive of the idea but hesitant to go first.

Comment 8 by agl@chromium.org, Aug 7 2014

I'm happy with #1, but it'll probably break certs immediately, right?

Are intermediates exempted on the basis that they are issued infrequently enough that an attacker couldn't hope to do a collision attack again them?
agl: Option1 is the least intrusive
SHA-1 (end-entity) certs >= 1/1/2017 = UI downgrade (like we do for intranet sites from public CAs), and treated as Mixed Content (Comment #2). MCB can still be bypassed by user gesture.

Option 2 (from comment #1) is the hard-fail solution.
SHA-1 (end-entity) certs >= 1/1/2017 = blocked (bypassable interstitial)
SHA-1 (end-entity) certs >= 1/1/2016 = UI downgrade (like we do for intranet sites from public CAs) but *NOT* treated as mixed content, since this is still in the grace window/sunset period

Comment 10 by f...@chromium.org, Aug 8 2014

what fraction of https page loads (or unique certs) that we see right now use sha-1?
Note: This would only affect such certs that are valid *after* 1/1/2016 (or 1/1/2017). Option 1 would be a nuisance, and leave it to Microsoft to make the hard call. Option 2 would mostly be nuisance only for sites that use long-lived certs, which they could alternatively get shorter-lived certs from their CA, which will force them to be prepared for the change.

So we're not talking about all sites, but a specific fraction of sites.

Comment 12 by f...@chromium.org, Aug 8 2014

sure, a specific fraction of sites. but are we talking 30% of sites? 3% of sites? 0.03% of sites?
From a data set from July 30, 2013, based on the Google Certificate Transparency database (I just haven't bothered resyncing, if agl wants to dump a data file my way)

Total number of certs: 2,416,294

233,944 certificates observed valid after 2016/1/1 = 9.6%
99,998 certificates observed valid after 2017/1/1 = 4.13%

But that's an older data set. We know CA's security generally only gets worse, not better, and we know there's been strong opposition towards moving off SHA-1, so it's reasonable to expect that the number of certs valid after 2017/1/1 (even though they will not function after that date) to have increased, especially with three years certs (and even though the Baseline Requirements discourage SHA-1)

We also know that Heartbleed caused a large number of revocations, and many of the re-issued certs were SHA-256. So that's a path in the different direction.

Note that the CT database doesn't distinguish revoked certs, so this is not a true representative sample of 'live' certs, so much as 'certs that exist'.

Comment 14 by f...@chromium.org, Aug 8 2014

Given that this is potentially a fairly large number of sites: my vote is Option 1 for a few releases, then Option 2.
felt: And for color/clarification

is that
Option 1.1 = UI badging only, but not treated as mixed content
Option 1.2 = UI badging, subresources are treated as mixed content

Comment 16 by f...@chromium.org, Aug 8 2014

1.2
Labels: M-39
Owner: rsleevi@chromium.org
Status: Assigned
agl pointed out how to resync the CT DB.

From today:
Total number of Certs: 4,773,575

669,466 certificates observed valid after 2016/1/1 = 14.0%
296,726 certificates observed valid after 2017/1/1 = 6.2%

Since the numbers are certainly trending the wrong way (SHA-1 is deprecated, ya'll!), I'm taking this for M39.
So, I'm on board with 1.2, but I feel like there should still be disincentives towards the 2016/1/1+ date. After that date, no CA should be issuing such certs (according to MSFT's policy)

What's the reaction towards:
notAfter > 2017/1/1 - UI badging (no interstitial), mixed content warning
notAfter > 2016/1/1 & < 2017/1/1 - UI badging (no interstitial), no mixed content warning

Comment 19 by f...@chromium.org, Aug 13 2014

sgtm
For posterity/evangelism/scope of impact:

>2016, with >2000 certs (multiple CAs combined)
GoDaddy: 116,568
Geotrust: 110,254
GlobalSign nv-sa: 99,424
Comodo: 72,395
Verisign: 61,542
Thawte: 31,592
TERENA: 24,535
Digicert: 22,448
Internet2: 18,561
Network Solutions: 16,377
Entrust: 14,455
AlphaSSL: 6,831
Geotrust: 6,491
StartCom: 5,984
Trustwave: 3,566
Gandi: 2,209
SECOM: 2,710

Total: 615,942 out of 669,466 certs (i.e.: 92% of the total certs are just these CAs)

>2017, with >2000 certs (multiple CAs combined)
GlobalSign nv-sa: 75,312
GoDaddy: 41,606
GeoTrust: 40,429
Comodo: 37,789
Verisign: 34,927
Terena: 9,444
Thawte: 8,735
Internet2: 8,637
Network Solutions: 8,077
Entrust: 5,542
AlphaSSL: 3,458

Total: 273,956 out of 296,726 certs (i.e.: 92% of the total certs are just these CAs)
@felt: How do you feel about this text (shown in the Connection 'Identity' panel)

(compare with other entries at https://code.google.com/p/chromium/codesearch#chromium/src/chrome/app/generated_resources.grd&l=9160 )

"The certificate is signed with a weak signature algorithm and can be used longer than it is safe to use."

(I'm a bit hung up on dangling participles and phrasing, nor am I convinced this is the right UI to surface)

Alternatively, if we think specificity is too much:

"This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

or even more definitively:

"This site uses an unsafe security configuration that will prevent it from working in future versions of Chrome."

Thoughts? Suggestions?

(I'm trying to keep this as small as possible to the page info bubble)

Comment 22 by f...@chromium.org, Aug 14 2014

Blar, these are hard strings to write. A non-technical user isn't going to get anything out of these no matter how we phrase it, and a technical user doesn't get enough information. 

With that being said, I like the phrase "outdated security settings" so let's pick the middle one:

"This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
I'd suggest to contact common SSL audit tools like Qualys SSL Labs early enough to implement the same rules way before the Blink/Chromium/Chrome release is rolled out in the stable releases, so people have a chance to check their certificates before real problems are induced.
Cc: sidv@chromium.org cbentzel@chromium.org
Project Member

Comment 25 by bugdroid1@chromium.org, Aug 28 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/053572d7d43966279054af8c521f4febd51330b4

commit 053572d7d43966279054af8c521f4febd51330b4
Author: rsleevi <rsleevi@chromium.org>
Date: Thu Aug 28 22:46:51 2014

Update the test OCSP server to use SHA-256 for the generated test server certificate

BUG= 401365 

Review URL: https://codereview.chromium.org/514083002

Cr-Commit-Position: refs/heads/master@{#292484}

[modify] https://chromium.googlesource.com/chromium/src.git/+/053572d7d43966279054af8c521f4febd51330b4/net/tools/testserver/minica.py

Project Member

Comment 26 by bugdroid1@chromium.org, Sep 23 2014

------------------------------------------------------------------
r292099 | rsleevi@chromium.org | 2014-09-23T22:03:24.712761Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/nss/exports_win.def?r1=292099&r2=292098&pathrev=292099

Export CERT_VerifySignedDataWithPublicKeyInfo from NSS on Windows

BUG= 401365 
R=davidben@chromium.org

Review URL: https://codereview.chromium.org/598753002
-----------------------------------------------------------------
Project Member

Comment 27 by bugdroid1@chromium.org, Sep 24 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32a676f1493cfaae80b85edf21936d0efc3c4e6a

commit 32a676f1493cfaae80b85edf21936d0efc3c4e6a
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Sep 24 01:06:06 2014

Update NSS

This includes the following changes:
https://chromium.googlesource.com/chromium/deps/nss/+/b37fb0be291ca6b0238476fcebe54bae77baf2aa
        Export CERT_VerifySignedDataWithPublicKeyInfo from NSS on Windows

BUG= 401365 
R=davidben@chromium.org

Review URL: https://codereview.chromium.org/590413004

Cr-Commit-Position: refs/heads/master@{#296320}

[modify] https://chromium.googlesource.com/chromium/src.git/+/32a676f1493cfaae80b85edf21936d0efc3c4e6a/DEPS

Project Member

Comment 28 by bugdroid1@chromium.org, Sep 24 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8

commit 25e2bc0a95354727342757ba71582bf4de638fe8
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Sep 24 03:12:55 2014

Use sidestep to detour CertVerifyCertificateSignatureEx on Windows versions earlier than Vista (excluding XP SP3), adding in SHA-256 support by deferring to NSS.

The canonical path to supporting SHA-256 is to install XP SP3 or the appropriate hotfixes for XP x64 / Windows Server 2003. However, as not all users may do so, and there's enough of a usability hurdle, provide an interception hook until we fully drop support for these systems.

XP is already outside of MSFT EOL (April 2014). Windows Server 2003 is EOL'd July 2015.

BUG= 401365 

Review URL: https://codereview.chromium.org/561613002

Cr-Commit-Position: refs/heads/master@{#296335}

[modify] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/content/browser/browser_main_runner.cc
[add] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/cert/sha256_legacy_support_win.cc
[add] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/cert/sha256_legacy_support_win.h
[add] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/cert/sha256_legacy_support_win_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/data/ssl/certificates/README
[add] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/data/ssl/certificates/sha256.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8/net/net.gypi

Project Member

Comment 29 by bugdroid1@chromium.org, Sep 26 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681

commit 04b34e02245194b01c08cd5cfb350378797e8681
Author: rsleevi <rsleevi@chromium.org>
Date: Fri Sep 26 22:02:53 2014

Update test cert generation scripts to use SHA-256 by default

This cleans up the README file to clearly indicate which certificates are real world certificates, which are generated by hand / by other sources, and which are generated via script (and which script).

Additionally, several test certificates that were previously generated by hand and several test CRLSets that were hardcoded are now generated automatically by the scripts.

BUG= 401365 

Review URL: https://codereview.chromium.org/515583004

Cr-Commit-Position: refs/heads/master@{#297047}

[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/certificates/README
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/aia-test.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/ca.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/client-certs.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/ee.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/eku-test.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/generate-test-certs.sh
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/policy.cnf
[modify] https://chromium.googlesource.com/chromium/src.git/+/04b34e02245194b01c08cd5cfb350378797e8681/net/data/ssl/scripts/redundant-ca.cnf

Project Member

Comment 30 by bugdroid1@chromium.org, Sep 26 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827

commit 80daaf71e46826d627cbf97fe28ce50ceb46a827
Author: rsleevi <rsleevi@chromium.org>
Date: Fri Sep 26 22:49:06 2014

Regenerate the long-lived test certificates to use SHA-256

BUG= 401365 

Review URL: https://codereview.chromium.org/515813002

Cr-Commit-Position: refs/heads/master@{#297061}

[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/chrome/common/net/x509_certificate_model_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/cert/cert_verify_proc.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/cert/nss_cert_database_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/1024-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/1024-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/1024-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/1024-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/2048-rsa-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/768-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/768-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/768-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/768-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/aia-cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/aia-intermediate.der
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/aia-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_1.key
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_1.pk8
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_1_ca.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_2.key
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_2.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_2.pk8
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/client_2_ca.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/crit-codeSigning-chain.pem
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/crlset_by_intermediate_serial.raw
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/crlset_by_leaf_spki.raw
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/crlset_by_root_serial.raw
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/duplicate_cn_1.p12
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/duplicate_cn_1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/duplicate_cn_2.p12
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/duplicate_cn_2.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/eku-test-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/expired_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/explicit-policy-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/multi-root-chain1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/multi-root-chain2.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/267aeeb8d85c8503a7fd12bd14654b8ea78d3974/net/data/ssl/certificates/name_constraint_bad.crt
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/name_constraint_bad.pem
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/name_constraint_good.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/267aeeb8d85c8503a7fd12bd14654b8ea78d3974/net/data/ssl/certificates/name_constraint_ok.crt
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/non-crit-codeSigning-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/ok_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/prime256v1-ecdsa-intermediate.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/267aeeb8d85c8503a7fd12bd14654b8ea78d3974/net/data/ssl/certificates/punycodetest.der
[add] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/punycodetest.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/redundant-server-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/redundant-validated-chain-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/redundant-validated-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/root_ca_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/spdy_pooling.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/ssl/certificates/subjectAltName_sanity_check.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/url_request_unittest/hpkp-headers.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/url_request_unittest/hsts-and-hpkp-headers.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/data/url_request_unittest/hsts-and-hpkp-headers2.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827/net/http/disk_based_cert_cache_unittest.cc

Blockedon: chromium:418321
Project Member

Comment 32 by bugdroid1@chromium.org, Sep 29 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6

commit b92e6f5c2a5271850a39afa1254d41ccc34ec5e6
Author: rsleevi <rsleevi@chromium.org>
Date: Mon Sep 29 23:48:04 2014

Detect SHA-1 when it appears in certificate chains

BUG= 401365 

Review URL: https://codereview.chromium.org/509273002

Cr-Commit-Position: refs/heads/master@{#297307}

[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_android.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_mac.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_nss.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_openssl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_proc_win.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_result.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6/net/cert/cert_verify_result.h

Project Member

Comment 33 by bugdroid1@chromium.org, Sep 30 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a

commit 4f80127285b5be9265ad96ce9b118e414107815a
Author: rsleevi <rsleevi@chromium.org>
Date: Tue Sep 30 01:28:01 2014

Mark SHA-1 as deprecated

BUG= 401365 

Review URL: https://codereview.chromium.org/508823009

Cr-Commit-Position: refs/heads/master@{#297331}

[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/build/ios/grit_whitelist.txt
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/app/chromium_strings.grd
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/app/google_chrome_strings.grd
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/browser/ssl/ssl_error_info.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/browser/ui/toolbar/toolbar_model_impl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/browser/ui/website_settings/website_settings.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/browser/ui/website_settings/website_settings.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/chrome/browser/ui/website_settings/website_settings_ui.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/net/cert/cert_status_flags_list.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/net/cert/cert_verify_proc.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a/tools/metrics/histograms/histograms.xml

Labels: M-38 Merge-Requested
Matthew requested I set the "Merge-Requested" flag on this bug for M-38.

However, all that is being merged to M38 is https://chromium.googlesource.com/chromium/src.git/+/25e2bc0a95354727342757ba71582bf4de638fe8

Comment 35 by amin...@google.com, Sep 30 2014

Labels: merge-questions-applied

Please note that all merge requests must have been on or rolled into trunk
for at least 24 hours to be considered for merging (to ensure full bot
coverage and give an opportunity for any necessary reverts to occur).

To help facilitate this request, if you could please answer the following:
--------------------------------------------------------------------------
1) Has this change been on trunk for at least 24 hours?

2) Has this change shipped to at least one canary release (where applicable)?

3) Has anyone verified that these changes resolve the issue and cause no new
   crashes (via chromecrash/) or regressions?

4) Why is this necessary for this milestone?

Thanks!

(this message is auto-generated each time the merge-request label is
applied; if you have previously answered these questions kindly disregard)

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 37 by bugdroid1@chromium.org, Sep 30 2014

Labels: -Merge-Approved merge-merged-2125
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0

commit 3058e7f95e4adb3f189c7239c5eab2f8639a26e0
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Tue Sep 30 18:26:38 2014

Use sidestep to detour CertVerifyCertificateSignatureEx on Windows versions earlier than Vista (excluding XP SP3), adding in SHA-256 support by deferring to NSS.

The canonical path to supporting SHA-256 is to install XP SP3 or the appropriate hotfixes for XP x64 / Windows Server 2003. However, as not all users may do so, and there's enough of a usability hurdle, provide an interception hook until we fully drop support for these systems.

XP is already outside of MSFT EOL (April 2014). Windows Server 2003 is EOL'd July 2015.

BUG= 401365 

Review URL: https://codereview.chromium.org/561613002

Cr-Commit-Position: refs/heads/master@{#296335}
(cherry picked from commit 25e2bc0a95354727342757ba71582bf4de638fe8)

TBR=jam,davidben

Review URL: https://codereview.chromium.org/616103002

Cr-Commit-Position: refs/branch-heads/2125@{#534}
Cr-Branched-From: b68026d94bda36dd106a3d91a098719f952a9477-refs/heads/master@{#290040}

[modify] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/content/browser/browser_main_runner.cc
[add] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/cert/sha256_legacy_support_win.cc
[add] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/cert/sha256_legacy_support_win.h
[add] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/cert/sha256_legacy_support_win_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/data/ssl/certificates/README
[add] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/data/ssl/certificates/sha256.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/3058e7f95e4adb3f189c7239c5eab2f8639a26e0/net/net.gypi

Labels: -M-38
Removing M-38 label so Alex doesn't get confused.

There IS a Merge-Request for M39:

To help facilitate this request, if you could please answer the following:
--------------------------------------------------------------------------
1) Has this change been on trunk for at least 24 hours?

Not yet.

The changes in particular being requested are:
https://chromium.googlesource.com/chromium/src.git/+/80daaf71e46826d627cbf97fe28ce50ceb46a827 (per Comment #30, this was 1 release after the branch point)
  - This change is purely an update to unit test data files

https://chromium.googlesource.com/chromium/src.git/+/b92e6f5c2a5271850a39afa1254d41ccc34ec5e6 (per comment #32)
  - This expands our already existing MD2, MD4, and MD5 detection to also report SHA-1. No action or code branches are taken in this CL, beyond the existing data gathering.

https://chromium.googlesource.com/chromium/src.git/+/4f80127285b5be9265ad96ce9b118e414107815a (per Comment #33)
  - This introduces the new UI and a single string. It is wholly Finch controlled.

2) Has this change shipped to at least one canary release (where applicable)?

No

3) Has anyone verified that these changes resolve the issue and cause no new
   crashes (via chromecrash/) or regressions?

Verified: Yes
Crashes: No data yet, but the new code branches/behaviours are gated behind Finch

4) Why is this necessary for this milestone?

See discussion.
Labels: Launch-Security-Yes
Merge approved for M39 branch 2171
Labels: Merge-Approved
Project Member

Comment 42 by bugdroid1@chromium.org, Oct 2 2014

Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17

commit e464e51b9e68ca6f63901b28cedccec943435f17
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Thu Oct 02 00:43:39 2014

Regenerate the long-lived test certificates to use SHA-256

BUG= 401365 
TBR=mattm

Review URL: https://codereview.chromium.org/515813002

Cr-Commit-Position: refs/heads/master@{#297061}
(cherry picked from commit 80daaf71e46826d627cbf97fe28ce50ceb46a827)

Review URL: https://codereview.chromium.org/621833005

Cr-Commit-Position: refs/branch-heads/2171@{#20}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/chrome/common/net/x509_certificate_model_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/cert/cert_verify_proc.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/cert/nss_cert_database_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/1024-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/1024-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/1024-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/1024-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/2048-rsa-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/768-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/768-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/768-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/768-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/aia-cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/aia-intermediate.der
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/aia-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_1.key
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_1.pk8
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_1_ca.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_2.key
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_2.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_2.pk8
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/client_2_ca.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/crit-codeSigning-chain.pem
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/crlset_by_intermediate_serial.raw
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/crlset_by_leaf_spki.raw
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/crlset_by_root_serial.raw
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/duplicate_cn_1.p12
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/duplicate_cn_1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/duplicate_cn_2.p12
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/duplicate_cn_2.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/eku-test-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/expired_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/explicit-policy-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/multi-root-chain1.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/multi-root-chain2.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/fde783d0141b3de9ba58bca74ad3eb98d9b3c184/net/data/ssl/certificates/name_constraint_bad.crt
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/name_constraint_bad.pem
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/name_constraint_good.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/fde783d0141b3de9ba58bca74ad3eb98d9b3c184/net/data/ssl/certificates/name_constraint_ok.crt
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/non-crit-codeSigning-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/ok_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-2048-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-768-rsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/prime256v1-ecdsa-intermediate.pem
[delete] https://chromium.googlesource.com/chromium/src.git/+/fde783d0141b3de9ba58bca74ad3eb98d9b3c184/net/data/ssl/certificates/punycodetest.der
[add] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/punycodetest.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/redundant-server-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/redundant-validated-chain-root.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/redundant-validated-chain.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/root_ca_cert.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/spdy_pooling.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/ssl/certificates/subjectAltName_sanity_check.pem
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/url_request_unittest/hpkp-headers.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/url_request_unittest/hsts-and-hpkp-headers.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/data/url_request_unittest/hsts-and-hpkp-headers2.html.mock-http-headers
[modify] https://chromium.googlesource.com/chromium/src.git/+/e464e51b9e68ca6f63901b28cedccec943435f17/net/http/disk_based_cert_cache_unittest.cc

Project Member

Comment 43 by bugdroid1@chromium.org, Oct 2 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc

commit c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Thu Oct 02 00:47:19 2014

Detect SHA-1 when it appears in certificate chains

BUG= 401365 
TBR=davidben

Review URL: https://codereview.chromium.org/509273002

Cr-Commit-Position: refs/heads/master@{#297307}
(cherry picked from commit b92e6f5c2a5271850a39afa1254d41ccc34ec5e6)

Review URL: https://codereview.chromium.org/614353006

Cr-Commit-Position: refs/branch-heads/2171@{#21}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_android.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_mac.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_nss.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_openssl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_proc_win.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_result.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/c08f7ae501a11842f5f7e0967944a0a3cdd9fdcc/net/cert/cert_verify_result.h

Project Member

Comment 44 by bugdroid1@chromium.org, Oct 2 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687

commit 22aeaf99a23840ad18dd646cc5dd51d7d4cae687
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Thu Oct 02 00:50:16 2014

Mark SHA-1 as deprecated

BUG= 401365 
TBR=davidben
Review URL: https://codereview.chromium.org/508823009

Cr-Commit-Position: refs/heads/master@{#297331}
(cherry picked from commit 4f80127285b5be9265ad96ce9b118e414107815a)

Review URL: https://codereview.chromium.org/618063004

Cr-Commit-Position: refs/branch-heads/2171@{#22}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/build/ios/grit_whitelist.txt
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/app/chromium_strings.grd
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/app/google_chrome_strings.grd
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/browser/ssl/ssl_error_info.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/browser/ui/toolbar/toolbar_model_impl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/browser/ui/website_settings/website_settings.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/browser/ui/website_settings/website_settings.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/chrome/browser/ui/website_settings/website_settings_ui.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/net/cert/cert_status_flags_list.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/net/cert/cert_verify_proc.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/net/cert/cert_verify_proc_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/22aeaf99a23840ad18dd646cc5dd51d7d4cae687/tools/metrics/histograms/histograms.xml

Status: Fixed
All bits merged for M39. Finch will control the UI rollout.
Now that the rollout is complete and the Finch values are stable, could we remove the Finch code from ToolbarModelImpl::GetSecurityLevelForWebContents()[1]?

[1] https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ui/toolbar/toolbar_model_impl.cc&q=securitylevelforwebcontents&sq=package:chromium&type=cs&l=99
Not yet.
Is it safe to remove the Finch code at this point?

Once in a while, I still get confused because the Finch-controlled SHA-1 behaviour is not present in a new test instance of Chrome.
Labels: -merge-merged-2171 Merge-Merged-2171
Thank you
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment