New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 640835 link

Starred by 6 users
Status: Fixed
Owner:
mea...@chromium.org
Closed: Apr 2017
Cc:
lgar...@chromium.org
est...@chromium.org
f...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug
Team-Security-UX

Blocked on:
issue 691163
issue 692767
Blocking:
issue 335933
issue 683397



Sign in to add a comment

Introduce a component which will contain a list of known, popular captive portals

Project Member Reported by mea...@chromium.org, Aug 25 2016 
Generate a list of SPKI hashes of popular captive portals and embed them in the browser so that we can display a captive portal interstitial immediately if the user hits an SSL error with such a cert. The list is populated from certificate reports and has currently fewer than 100 entries, while covering 2-3% if cert reports.

A small amount of false positives caused by sites serving such certs seems acceptable given the benefits.

Comment 1 by mea...@chromium.org, Aug 25 2016

Blocking: 335933

Comment 2 by lgar...@chromium.org, Aug 25 2016

Cc: lgar...@chromium.org
Did someone say "embed a list of SPKIs"?

Comment 3 by mea...@chromium.org, Aug 25 2016 

Yep, the magical incantation to summon lgarron :)

Comment 4 by raymes@chromium.org, Sep 6 2016

Labels: Interstitials

Comment 6 by lgar...@chromium.org, Nov 22 2016

Components: -Security>UX UI>Browser>Interstitials

Comment 7 by mea...@chromium.org, Nov 30 2016 

This is discussed only briefly in the design doc, but we decided to use the component updater mechanism for the portal list. This will allow us to update the list independent of Chrome's release schedule.

Comment 8 by lgar...@chromium.org, Dec 7 2016

Labels: -Interstitials
Project Member

Comment 9 by bugdroid1@chromium.org, Dec 17 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/657c5e7bbb7ea1ae591d97de9adf46a03410a37c

commit 657c5e7bbb7ea1ae591d97de9adf46a03410a37c
Author: meacer <meacer@chromium.org>
Date: Sat Dec 17 02:30:06 2016

Add proto for TLS error assistant, refactor proto generator code.

This CL adds binary_proto_generator.py which contains code to generate
binary protobufs from ascii protobufs. SafeBrowsing download file types
list and TLS error assistant use this generator to generate their
respective binary protos.

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2567483002
Cr-Commit-Position: refs/heads/master@{#439292}

[modify] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/BUILD.gn
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/protobufs/OWNERS
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/protobufs/binary_proto_generator.py
[modify] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/safe_browsing/gen_file_type_proto.py
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/ssl/OWNERS
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/ssl/tls_error_assistant/BUILD.gn
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/ssl/tls_error_assistant/gen_tls_error_assistant_proto.py
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/resources/ssl/tls_error_assistant/tls_error_assistant.asciipb
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/ssl/BUILD.gn
[add] https://crrev.com/657c5e7bbb7ea1ae591d97de9adf46a03410a37c/chrome/browser/ssl/tls_error_assistant.proto

Comment 10 by mea...@chromium.org, Jan 6 2017

Summary: Introduce a component which will contain a list of known, popular captive portals (was: Hardcode a list of known, popular captive portals )
The list is going to be deployed using component updates, so renaming the bug.
Project Member

Comment 13 by bugdroid1@chromium.org, Feb 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0785808c1a3d64ec590bf17d41db45c7b0d8b16

commit b0785808c1a3d64ec590bf17d41db45c7b0d8b16
Author: meacer <meacer@chromium.org>
Date: Tue Feb 07 23:46:52 2017

Add initial version of captive portal list checking.

This CL adds captive portal certificate list checking feature. When an SSL
error occurs, the feature checks the certificate chain's SPKI hashes to a
list of hashes that are known to be served by captive portals. The list is
embedded as a resource and currently only contains a single hash (the hash
of the leaf cert of captive-portal.badssl.com). Follow up CLs will introduce
a component updater component to dynamically update the list of known captive
portal SPKI hashes.

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2620203003
Cr-Commit-Position: refs/heads/master@{#448796}

[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/BUILD.gn
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/browser_resources.grd
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/resources/ssl/ssl_error_assistant/ssl_error_assistant.asciipb
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/ssl/ssl_browser_tests.cc
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/ssl/ssl_error_assistant.proto
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/ssl/ssl_error_handler.cc
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/ssl/ssl_error_handler.h
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/browser/ssl/ssl_error_handler_unittest.cc
[modify] https://crrev.com/b0785808c1a3d64ec590bf17d41db45c7b0d8b16/chrome/test/BUILD.gn
Project Member

Comment 14 by bugdroid1@chromium.org, Feb 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4404d45a6532616d24d676113d5dfb0d519085b9

commit 4404d45a6532616d24d676113d5dfb0d519085b9
Author: meacer <meacer@chromium.org>
Date: Fri Feb 10 02:30:54 2017

Add SSL Error Assistant component to dynamically update captive portal list

This CL adds the SSL Error Assistant component that will dynamically update the
captive portal certificate list to be used by SSLErrorHandler. The component's
implementation is mostly taken from FileTypePolicies component.

For the time being, the component is only enabled on platforms where captive
portal detection is enabled (i.e. desktop).

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2581903002
Cr-Commit-Position: refs/heads/master@{#449525}

[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/BUILD.gn
[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/chrome_browser_main.cc
[add] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/component_updater/ssl_error_assistant_component_installer.cc
[add] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/component_updater/ssl_error_assistant_component_installer.h
[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/ssl/ssl_browser_tests.cc
[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/ssl/ssl_error_handler.cc
[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/ssl/ssl_error_handler.h
[modify] https://crrev.com/4404d45a6532616d24d676113d5dfb0d519085b9/chrome/browser/ssl/ssl_error_handler_unittest.cc
Project Member

Comment 15 by bugdroid1@chromium.org, Feb 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/992f50de218e93808825efbe1067b9968f01fec9

commit 992f50de218e93808825efbe1067b9968f01fec9
Author: meacer <meacer@chromium.org>
Date: Fri Feb 10 02:35:38 2017

Add validation of sha256 hash formats to ssl_error_assistant proto generator

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2686173004
Cr-Commit-Position: refs/heads/master@{#449528}

[modify] https://crrev.com/992f50de218e93808825efbe1067b9968f01fec9/chrome/browser/resources/ssl/ssl_error_assistant/gen_ssl_error_assistant_proto.py

Comment 16 by mea...@chromium.org, Feb 11 2017

Blockedon: 691163
Project Member

Comment 17 by bugdroid1@chromium.org, Feb 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9037fa2079b2735326d4876590f37b4cbdf1fb5f

commit 9037fa2079b2735326d4876590f37b4cbdf1fb5f
Author: meacer <meacer@chromium.org>
Date: Sat Feb 11 01:50:02 2017

Add missing histogram entry to interstitial.ssl_error_handler.

BUG= 640835 

Review-Url: https://codereview.chromium.org/2688933002
Cr-Commit-Position: refs/heads/master@{#449826}

[modify] https://crrev.com/9037fa2079b2735326d4876590f37b4cbdf1fb5f/tools/metrics/histograms/histograms.xml
Project Member

Comment 18 by bugdroid1@chromium.org, Feb 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4cb673a8d363c7ddb6f05a009a313e7e10d21b11

commit 4cb673a8d363c7ddb6f05a009a313e7e10d21b11
Author: meacer <meacer@chromium.org>
Date: Wed Feb 15 00:22:25 2017

Add initial list of captive portal certificates

This list contains the SPKI hashes of top captive portal certificates. All
certs should only cause name mismatch errors.

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2688623006
Cr-Commit-Position: refs/heads/master@{#450523}

[modify] https://crrev.com/4cb673a8d363c7ddb6f05a009a313e7e10d21b11/chrome/browser/resources/ssl/ssl_error_assistant/ssl_error_assistant.asciipb

Comment 19 by mea...@chromium.org, Mar 14 2017

Blockedon: 692767

Comment 20 by mea...@chromium.org, Mar 14 2017

Blocking: 683397

Comment 21 by mea...@chromium.org, Apr 26 2017

Status: Fixed (was: Started)
This is fixed, we started testing.
Project Member

Comment 22 by bugdroid1@chromium.org, May 1 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/718bd5b1110f021197077f2ef41d72664b20757c

commit 718bd5b1110f021197077f2ef41d72664b20757c
Author: meacer <meacer@chromium.org>
Date: Mon May 01 23:19:42 2017

Update Chrome's captive portal list with 3 new portals

BUG= 640835 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2821203003
Cr-Commit-Position: refs/heads/master@{#468477}

[modify] https://crrev.com/718bd5b1110f021197077f2ef41d72664b20757c/chrome/browser/resources/ssl/ssl_error_assistant/ssl_error_assistant.asciipb
Project Member

Comment 23 by bugdroid1@chromium.org, Oct 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4db693f77f0da1515cdb866bc6dd25ed10ed3152

commit 4db693f77f0da1515cdb866bc6dd25ed10ed3152
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Mon Oct 09 20:57:32 2017

Enable CaptivePortalCertificateList feature by default

Bug:  640835 
Change-Id: If3d92db86022c8b5606e02e171a63db85fe5328f
Reviewed-on: https://chromium-review.googlesource.com/705594
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507479}
[modify] https://crrev.com/4db693f77f0da1515cdb866bc6dd25ed10ed3152/chrome/browser/ssl/ssl_error_handler.cc
[modify] https://crrev.com/4db693f77f0da1515cdb866bc6dd25ed10ed3152/testing/variations/fieldtrial_testing_config.json
Project Member

Comment 24 by bugdroid1@chromium.org, Nov 20 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33ab375d020630525a195456e3d9befa33291084

commit 33ab375d020630525a195456e3d9befa33291084
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Tue Nov 20 01:04:59 2018

Add another Impulse certificate to known captive portals

Bug:  640835 
Change-Id: I4aa79b8af48f7dfd63c288dc7c4506fa4a4bf73e
Reviewed-on: https://chromium-review.googlesource.com/c/1338999
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Adrienne Porter Felt <felt@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609540}
[modify] https://crrev.com/33ab375d020630525a195456e3d9befa33291084/chrome/browser/resources/ssl/ssl_error_assistant/ssl_error_assistant.asciipb

Sign in to add a comment