New issue
Advanced search Search tips

Issue 677970 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2017
Cc:
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

https page with invalid https iframe shown as secure

Reported by ake...@gmail.com, Jan 3 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.59 Safari/537.36

Steps to reproduce the problem:
1. Go to https://hsy.fi/tekstiviesti
2. Look at URL bar, shows Secure
3. Open iframe https://secure.ums.no/hsy/ in separate tab. It has SHA-1 cert which is shown as Not secure

What is the expected behavior?
iframe with insecure content should cause mixed content warning of some sort

What went wrong?
hsy.fi has valid SHA256 3 year certficate and shows as Secure.
iframe secure.ums.no has valid SHA1 5 year certificate ending in 2018 and shows as Not Secure when viewed in own tab

When used in iframe SHA1 certificate is allowed without any warnings.

Did this work before? N/A 

Chrome version: 55.0.2883.59  Channel: beta
OS Version: debian/testing
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by ajha@chromium.org, Jan 4 2017

Labels: Needs-Triage-M55

Comment 2 by durga.behera@chromium.org, Jan 9 2017

Components: Internals>Network>HTTP
Labels: -Needs-Triage-M55 Hotlist-HttpBad TE-NeedsTriageHelp OS-Mac OS-Windows
Added respective labels to triage further.

Comment 3 by mmenke@chromium.org, Jan 9 2017

Components: -UI -Internals>Network>HTTP Internals>Network>Certificate Blink>SecurityFeature

Comment 4 by est...@chromium.org, Jan 12 2017

Cc: elawrence@chromium.org
Status: WontFix (was: Unconfirmed)
This is a bit weird but working as intended, and will work less weirdly in Chrome 56 on.

The iframe on the page has a SHA1-signed certificate, which we deprecated by downgrading the lock icon when the main page was loaded with a SHA1 cert. But we never (AFAIK) checked subresources for SHA1 or downgraded any security state for them. So a subresource with a SHA1 cert was considered perfectly good and valid.

In Chrome 56 and on, with a couple exceptions (such as a policy exception), SHA1 certificates are treated like other certificate errors. So the iframe in this page will be blocked just as if it had an expired certificate or any other certificate error. You can see this in action on Chrome Canary right now.

Comment 5 by ake...@gmail.com, Jan 12 2017 

Updated to Chrome 56.0.2924.59 beta. Now that hsy.fi/tekstiviesti shows just a big frey box with sadface. 
Although the error message says "site might be down" instead of "certificate error". Mostly same to normal users though.

So now it works correctly, thanks. (More of a "alreadydone" than "wontfix" :)
Screenshot_20170112_113606.png
26.5 KB View Download

Sign in to add a comment