Extend webRequests onCompleted callback to include information about TLS connections
Reported by
rolandsh...@gmail.com,
Jul 16 2016
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Steps to reproduce the problem: 1. Try to extract information about the underlying TLS/SSL transport from the details object passed to a webRequest.onCompleted event listener What is the expected behavior? Information about the underlying transport (cipher and key exchange algorithms etc) and the sent and built certificate chains should be provided. What went wrong? No TLS/SSL information is provided. Did this work before? N/A Chrome version: 47.0.2526.80 Channel: n/a OS Version: Flash Version: This feature is required for the EFF to keep operating its Decentralized SSL Observatory (DSO) project which collects observed certificates from users of the HTTPS Everywhere extension who opt in. At the moment only Firefox users are able to use this feature due to the lack of webRequest support but with the upcoming XPCOM depreciation it will soon be impossible in both Chrome and Firefox. Ryan Sleevi previously investigated a similar issue (https://bugs.chromium.org/p/chromium/issues/detail?id=107793) and resolved it as a WontFix due to the complexities/dangers of allowing extensions to meddle with the validation process. I agree with those original conclusions but believe a simpler, and much less fraught, solution exists which would provide an extremely useful set of data. Whereas the previous issue mainly seemed to deal with hooking into the validation process (and t he possibilities of overriding various stages and/or errors) this issue suggests *only* providing connection information via the onCompleted event listener and not allowing any kind of interference in the validation process. Extensions would still be able to show their own UI hints about certificates but because onCompleted listeners are only called after internal security UIs are shown (i.e. certificate warning screens) and bypassed the danger is far lower. While the main use case for this would be enabling cross-browser feature parity in HTTPS Everywhere I have heard from a number of other extension developers and security researchers who would be very interested in having this ability.
,
Jul 22 2016
,
Aug 10 2016
Is this a dupe of https://bugs.chromium.org/p/chromium/issues/detail?id=598123 ?
,
Aug 10 2017
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21 2017
Roland has a CL up for review here: https://chromium-review.googlesource.com/c/chromium/src/+/644858
,
Sep 22 2017
Issue 598123 has been merged into this issue.
,
Jan 3 2018
This API would also allow me write extension detecting company-wide SSL interception hardware, or supplement the deprecation of the certificate pinning headers. Chromium unfortunately lacks the necessary hooks to develop security extensions and this would certainly be a good start.
,
Jan 29 2018
Also raised on https://github.com/brave/browser-laptop/issues/12904
,
Jul 10
Mozilla are releasing an API for providing the TLS information to WebExtensions in Firefox 62: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1322748 https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/getSecurityInfo https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/SecurityInfo https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/CertificateInfo
,
Jan 15
,
Today
(14 hours ago)
,
Today
(10 hours ago)
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ranjitkan@chromium.org
, Jul 22 2016