New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 652505 link

Starred by 1 user
Status: Fixed
Owner:
est...@chromium.org
Closed: Jun 2017
Cc:
davidben@chromium.org
lgar...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Team-Security-UX



Sign in to add a comment

Trim website_settings.cc logic and never show SSL 3.0.

Project Member Reported by davidben@chromium.org, Oct 3 2016 
This is a follow-up to https://codereview.chromium.org/2382983002/. There is some logic in website_settings.cc to:

1. Show the renegotiation_info extension.
2. Downgrade the security status if we have an SSL 3.0 host (but only on top-level loads).

(1) was probably added back when the renegotiation bug was first found. Trying to enforce it isn't really a priority (it's largely for servers to enforce, not client), so let's just take it out completely.

(2) was originally added when we needed to drop SSL 3.0 for POODLE. It should be a no-op because SSL 3.0 is long gone, but it's reachable if we load an ancient cached SSL 3.0 resource without revalidation. Such resources will also appear in the security panel as SSL 3.0, which is pretty confusing.

SSL 3.0 is long gone, so I propose we drop those cache entries. This will prevent the security panel from showing SSL 3.0 and mean make removing that website_settings.cc check actually a no-op.

https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/ui/website_settings/website_settings.cc#637

Note that dropping those cache entries is not much of a security guarantee because we don't do provenance tracking for complex loads like revalidations or range requests, and doing so is probably unreasonable. See https://groups.google.com/a/chromium.org/d/msg/security-dev/pdvsbRGnKgA/kzhhvnERqGoJ

The motivation is mostly so UI will never show SSL 3.0.

Comment 1 by f...@chromium.org, Oct 6 2016

Cc: lgar...@chromium.org
davidben, I notice this is un-owned. Did you forget to add yourself as the owner?

Comment 2 by lgar...@chromium.org, Oct 11 2016

Labels: Hotlist-PageInfo

Comment 3 by jww@chromium.org, Oct 18 2016

Owner: davidben@chromium.org
Status: Assigned (was: Untriaged)
Assigning to davidben@ on the assumption he meant to do so, but feel free to reassign as needed.

Comment 4 by lgar...@chromium.org, Oct 19 2016

Components: UI>Browser>Omnibox>PageInfo

Comment 5 by lafo...@chromium.org, Oct 20 2016

Components: -UI>Browser>Omnibox>PageInfo UI>Browser>Bubbles>PageInfo

Comment 6 by lgar...@chromium.org, Nov 16 2016

Labels: -Hotlist-PageInfo

Comment 7 by lgar...@chromium.org, Nov 24 2016

Components: -Security>UX

Comment 8 by est...@chromium.org, Jun 7 2017

Cc: davidben@chromium.org
Owner: est...@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3bd7dd5df8fae5704a56611364b34a1c0a17dabd

commit 3bd7dd5df8fae5704a56611364b34a1c0a17dabd
Author: estark <estark@chromium.org>
Date: Wed Jun 07 19:42:38 2017

Drop SSLv3 cache entries

SSLv3 is gone so we no longer need to load cache entries. Doing so allows us to
remove SSLv3 logic from UI surfaces, as I've done for Page Info in this CL.

BUG= 652505 

Review-Url: https://codereview.chromium.org/2923403002
Cr-Commit-Position: refs/heads/master@{#477730}

[modify] https://crrev.com/3bd7dd5df8fae5704a56611364b34a1c0a17dabd/chrome/browser/ui/page_info/page_info.cc
[modify] https://crrev.com/3bd7dd5df8fae5704a56611364b34a1c0a17dabd/net/http/http_response_info.cc
[modify] https://crrev.com/3bd7dd5df8fae5704a56611364b34a1c0a17dabd/net/http/http_response_info_unittest.cc

Comment 10 by est...@chromium.org, Jun 7 2017

Labels: M-61
Status: Fixed (was: Started)
Above commit takes care of SSLv3, looks like renegotiation was removed at some point already.

Sign in to add a comment