New issue
Advanced search Search tips

Issue 644120 link

Starred by 1 user

Issue metadata

Status: WontFix
Merged: issue 643173
Owner: ----
Closed: Sep 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Pinning bypass UI shows as secure

Reported by davidcad...@gmail.com, Sep 5 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
1.  https://badssl.com
2. Click pinning test
3. Bypass the pinning error using cheat code
4. UI shows as secure (no red line through HTTPS)

What is the expected behavior?
Match using the cheat code to bypass HSTS error (red line through HTTPS)

What went wrong?
Should be a red line through HTTPS

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 22.0 r0

Hi Lucas!
 
Screen Shot 2016-09-05 at 1.46.27 PM.png
64.3 KB View Download
Screen Shot 2016-09-05 at 1.46.34 PM.png
169 KB View Download
Screen Shot 2016-09-05 at 1.45.31 PM.png
10.0 KB View Download

Comment 1 by vakh@chromium.org, Sep 6 2016

Mergedinto: 643173
Status: Duplicate (was: Unconfirmed)
Thanks for reporting this issue. It seems like a duplicate of  issue 643173  so I've marked it as such.
I'm away from a computer so I can't check for sure but I don't think this
is a duplicate of issue. This is on stable whereas  issue 643173  is only
canary/dev.
I don't have access to the other issue, so I can't confirm/deny. My cursory search of the public issues showed this wasn't filed, but it may be under embargo (although this is a pretty weak issue to embargo...)

Comment 4 by est...@chromium.org, Sep 13 2016

Labels: -OS-Mac M-55 Security_Impact-Stable Security_Severity-Low OS-All
Status: Available (was: Duplicate)

Comment 5 by est...@chromium.org, Sep 13 2016

Components: Security>UX

Comment 6 by f...@chromium.org, Sep 16 2016

woah, showing the wrong security state is never good.

david, thanks for reporting. I can't seem to repro. can you please update to the new current stable (53) and tell me if you still see the problem?
Confirmed that in latest stable (Version 53.0.2785.116 (64-bit)), the security state is shown correctly. I guess it was "accidentally" patched?

¯\_(ツ)_/¯ 

Comment 8 by f...@chromium.org, Sep 16 2016

Status: WontFix (was: Available)
There were a bunch of security indicator bugs in 52 that were patched for 53 on Mac -- I'm not sure which one would have caused & fixed this, but it's (sadly) not too surprising to me. Glad it's fixed tho.
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 24 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment