Implement AIA fetching for Chrome in Android |
|
Issue descriptionOn most platforms, the system's certificate validation logic automatically fetches intermediate certificates that are needed to validate a certificate. However, Android certificate validation does not implement this logic, resulting in certificate errors for Android users when servers do not serve all the necessary certificates in their chain. Using data from Chrome’s Safe Browsing Extended Reporting program, we estimate that server chains with incorrect or missing intermediates account for >10% of all certificate validation errors in Chrome, and >30% of all certificate validation errors that occur in Chrome for Android. About 90% of the errors caused by missing or misconfigured intermediates occur on Android. To mitigate this problem, we propose to implement intermediate fetching (aka AIA fetching) in Clank. This is an implementation bug. I accidentally linked the CLs to the view-restricted launch bug, so I'm just filing this bug to have them listed publicly somewhere: - 6f57ec35020860e39d1b6f520169bbeb9f3790a8 - 9a263789936233caabe908fbd02c256ac96ffbad - d91e0b2cf276c7586e1f923771227ce3175d54ed
,
Feb 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/92dc22973ed15b4e4683d4ac73ea329763f65c25 commit 92dc22973ed15b4e4683d4ac73ea329763f65c25 Author: estark <estark@chromium.org> Date: Sun Feb 05 20:33:16 2017 Add flag for AIA fetching and enable on waterfall This CL adds a chrome://flags to enable AIA fetching on Android and also enables the feature on the waterfall. BUG= 688272 Review-Url: https://codereview.chromium.org/2670143004 Cr-Commit-Position: refs/heads/master@{#448187} [modify] https://crrev.com/92dc22973ed15b4e4683d4ac73ea329763f65c25/chrome/app/generated_resources.grd [modify] https://crrev.com/92dc22973ed15b4e4683d4ac73ea329763f65c25/chrome/browser/about_flags.cc [modify] https://crrev.com/92dc22973ed15b4e4683d4ac73ea329763f65c25/testing/variations/fieldtrial_testing_config.json [modify] https://crrev.com/92dc22973ed15b4e4683d4ac73ea329763f65c25/tools/metrics/histograms/histograms.xml
,
Feb 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/40ec5a581b662b9f120e577df28363c3e5991990 commit 40ec5a581b662b9f120e577df28363c3e5991990 Author: estark <estark@chromium.org> Date: Tue Feb 07 22:55:19 2017 Add AIA fetching feature info to certificate reports This CL adds a bit to certificate reports to indicate whether the Android AIA fetching feature is enabled. This will be used to pull out examples of certificate error reports where AIA fetching was enabled but didn't help. BUG= 688272 Review-Url: https://codereview.chromium.org/2682733003 Cr-Commit-Position: refs/heads/master@{#448763} [modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/cert_logger.proto [modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/error_report.cc [modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/error_report_unittest.cc
,
Feb 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/96b1db92fdad353c2702419886d5732574eaab33 commit 96b1db92fdad353c2702419886d5732574eaab33 Author: estark <estark@chromium.org> Date: Fri Feb 10 22:38:55 2017 Add UMA histogram for AIA fetching error codes This CL records the net error code of AIA fetches attempted by CertVerifyProcAndroid. On canary AIA fetching is a bit less effective than I expected (kicking in successfully for ~30% of ERR_CERT_AUTHORITY_INVALID errors instead of expected ~50%), and I'm trying to narrow down if that is due to e.g. random network failures, or something else like insufficient path-building. BUG= 688272 Review-Url: https://codereview.chromium.org/2680323003 Cr-Commit-Position: refs/heads/master@{#449769} [modify] https://crrev.com/96b1db92fdad353c2702419886d5732574eaab33/net/cert/cert_verify_proc_android.cc [modify] https://crrev.com/96b1db92fdad353c2702419886d5732574eaab33/tools/metrics/histograms/histograms.xml |
|
►
Sign in to add a comment |
|
Comment 1 by est...@chromium.org
, Feb 3 2017