New issue
Advanced search Search tips

Issue 629091 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment

Missing Javascript API to detect Chrome's removal of self-signed certificates after 1 week.

Reported by abraham_...@yahoo.com, Jul 18 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Example URL:
Any HTTPS site with self-signed certificate

Steps to reproduce the problem:
1. Access a site wtih self-signed certificate
2. Click through to accept ceritificate
3. Leave browser running for a week
4. Chrome automatically delete these cetificates.
5. REST calls fail when this happen without any clear indication of the situation.

What is the expected behavior?
REST calls that fail because of the removal of previously accepted certificates should do one of the following:

1) throw an exception that identifies this situation
2) REST calls that fail should return an error that indentifies this situation.

What went wrong?
My app is a long running app. It has a polling mechanism to retrieve updated info from the server. If I leave the app running in the browser for a week, the polling mechanism fails with no indication that Chrome's removal of the self-signed cerificate is the cause of the problem.

Did this work before? N/A 

Chrome version: 51.0.2704.106  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 22.0 r0

I have search the web and chromium and understand that the removal of certificates after 1 week is the expected behavior (see  Issue 53025 ). But Chrome needs to provide a detection mechanism so that when this appen, the app can respond appropriately.

Comment 1 by xunji...@chromium.org, Jul 18 2016

Components: Internals>Network>Certificate Platform>Apps>API
Labels: -Type-Bug Type-Feature
Status: Untriaged (was: Unconfirmed)
Attaching some labels tentatively, I am not sure which bin this feature request falls into.

Comment 2 by rsleevi@chromium.org, Jul 18 2016

Components: -Platform>Apps>API -Internals>Network -Internals>Network>Certificate Security>UX Internals>Network>SSL
Status: WontFix (was: Untriaged)
Marking as WontFix, and tagging as Security>UX for the UX team that owns that decision remembrance.

The detection mechanism is that XHRs will fail. Identifying it as a certificate error is not part of the Fetch Standard ( https://fetch.spec.whatwg.org/ ).

The correct solution is not to rely on self-signed certificates or users clicking through them.

Comment 3 by abraham_...@yahoo.com, Jul 18 2016 

"Not to rely on self-signed certs" is not a solution. If Chrome decides to allow a user to click through a self-signed cert, then it should not make an arbitrary decision to remove it 1 week after it was accepted by the user. I saw this issue trip up a lot of developers since 2010. If we want to adhere to Fetch Standard, then did any standard mention the removal of the self-signed cert after 1 week?

Comment 4 by rsleevi@chromium.org, Jul 18 2016 

I'm not sure how it could have tripped up a lot of developers since 2010, as the previous behaviour was that it remembered for the duration of the process lifetime.

In any event, Chrome is behaving as expected, which is that it returns a network error per the Fetch spec. As previously indicated, self-signed certificates are not intended to be used for day-to-day use cases, and they're not guaranteed to work or continue to work in the future.

Comment 5 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment