New issue
Advanced search Search tips

Issue 656182 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
elawrence@chromium.org
mmoroz@chromium.org
patricia...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Safari and Chrome reporting globalsign certificate invalid, hang on attempts to view ceertificate

Reported by j...@cloudview.com, Oct 14 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Steps to reproduce the problem:
Issue is situational some systems show it some don't.  It's not clear why.
https://www.ampproject.org and https://www.firebaseapp.com/ are showing the issue right now on several machines here. 

What is the expected behavior?
Web site loads

What went wrong?
NET:ERR_CERT_REVOKED  Clearing the system /var/db/crls/crlcache2.db file doesn't fix it.

Attempting to view the cert in chrome/safari causes a beachball of doom for ~5 mins and eventually shows the certificate dialog with the Globalsign intermediate cert marked as revoked.  

Did this work before? N/A 

Chrome version: 54.0.2840.59  Channel: stable
OS Version: OS X 10.12.0
Flash Version: Shockwave Flash 23.0 r0

See also https://downloads.globalsign.com/acton/attachment/2674/f-06d2/1/-/-/-/-/globalsign-incident-report-13-oct-2016.pdf

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Cc: mmoroz@chromium.org elawrence@chromium.org
Components: Security>UX Internals>Network>SSL
Owner: f...@chromium.org
Status: Available (was: Unconfirmed)
felt@ and elawrence@, could you please help to triage this?

Comment 2 by elawrence@chromium.org, Oct 17 2016

Cc: patricia...@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Globalsign's incident report explains why the browser correctly treated the certificate as revoked (namely, OCSP declared the intermediate certificate revoked), so there's no bug there.

Mention of Safari in "Attempting to view the cert in chrome/safari causes a beachball of doom" for ~5 minutes" suggests the performance problem described may be external to Chrome.

https://cs.chromium.org/chromium/src/chrome/browser/ui/certificate_viewer_mac.mm?q=certificate+sheet&sq=package:chromium&dr=C&l=107 implies that we're doing work to not revocation-check in this codepath to avoid stalling the UI.

+patricialor@ as an expert on this UI.

Comment 3 by rsleevi@chromium.org, Oct 17 2016 

As of OS X 10.7.2, that code path is no longer able to disable revocation checking. So the issues it mentions still apply :)

Comment 4 by j...@cloudview.com, Oct 17 2016 

From a user perspective it's not clear if the hand is in the OSX keychain certificate display dialog or the browser.  Either way a bad cert shouldn't cause a beachball of doom that kills the whole browser UI for all tabs.

Comment 5 by rsleevi@chromium.org, Oct 17 2016 

I agree, Apple should fix their APIs :)

Comment 6 by raymes@chromium.org, Nov 30 2016

Components: -Security>UX
Labels: Team-Security-UX

Comment 7 by f...@chromium.org, Dec 7 2016

Owner: ----

Comment 8 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 9 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment