New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 65533 link

Starred by 23 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

No method to check thumbprint of certificate received from website

Reported by blak...@gmail.com, Dec 6 2010

Issue description

Chrome Version       : <Copy from: 'about:version'>
URLs (if applicable) : 9.0.587.0 (Official Build 66374) dev
Other browsers tested: Firefox
Add OK or FAIL after other browsers where you have tested this issue:
  Firefox 3.x: OK


There is no way to access the SSL certificate information received from a website. This makes it impossible to create a simple extension that stores certificate thumbprints to notify on changes. 

Firefox allows extensions to call it with code similar to the following.
var ui = gBrowser.securityUI;
sp = ui.QueryInterface(Components.interfaces.nsISSLStatusProvider);
status = sp.SSLStatus;
status = status.QueryInterface(Components.interfaces.nsISSLStatus);
var cert = status.serverCert;
alert(cert.sha1Fingerprint);

There is no security reason to not have access to the public certificate that can easily be caught in a packet capture.
 
Labels: -Type-Bug -Area-Undefined Type-Feature Area-Internals Feature-Extensions OS-All
Status: Available

Comment 2 Deleted

Comment 3 by aa@chromium.org, Dec 10 2010

Is this something that makes sense to expose through the web request API?

Comment 4 by blak...@gmail.com, Dec 10 2010

Yes, security state information like this should be public because its stuff that is already available in plaintext to any observer of the TLS handshake. 
Of course the private key shouldn't be exposed, but the public key is available to anyone that connects to the server. There isn't any reason to keep it from the end user.

This will allow extensions to monitor signing authorities for users in countries that pressure CA's into creating signing certificates for eavesdropping purposes. 
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Feature-Extensions Cr-Internals Cr-Platform-Extensions
Is there any change on this issue? I really need the server certificate in my extension.
Cc: -erikkay@chromium.org
Cc: -mpcomplete@chromium.org
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 14 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment