Issue metadata
Sign in to add a comment
|
Chrome on Android is not enforcing static test pin |
||||||||||||||||||||||
Issue descriptionVersion: 5.0.2743.98 OS: Android 6.0.1 (Nexus 5X) What steps will reproduce the problem? (1) Visit https://pinning-test.badssl.com/ What is the expected output? An SSL interstitial with a non-overridable pinning error. What do you see instead? The page loads over HTTPS (chrome-android.png) using the actual certificate served by pinning-test.badssl.com . The expected error appears in Firefox on the same device (firefox-android.png) [1], so it's not a local anchor override. The expected error appears on Chrome desktop. The expected error *does not* appear on a Pixel C, so it's not specific to one device. I don't know enough to claim that static pinning is broken on Android, but I'm filing as a Security bug just in case. Did I miss a memo somewhere that makes this expected behaviour, or should I dig into it?
,
Aug 12 2016
,
Aug 12 2016
(Oh, I was missing the view restriction label because I didn't use the security template.)
,
Aug 12 2016
We've never supported the static pins on Android or iOS as far as I know because of concerns about update ability.
,
Aug 12 2016
Yeah, this is expected behavior because of what Adam said.
,
Oct 26 2016
,
Nov 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by lgar...@chromium.org
, Aug 12 2016