New issue
Advanced search Search tips

Issue 688272 link

Starred by 1 user
Status: Fixed
Owner:
est...@chromium.org
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Blocking:
issue 657549



Sign in to add a comment

Implement AIA fetching for Chrome in Android

Project Member Reported by est...@chromium.org, Feb 3 2017 
On most platforms, the system's certificate validation logic automatically fetches intermediate certificates that are needed to validate a certificate. However, Android certificate validation does not implement this logic, resulting in certificate errors for Android users when servers do not serve all the necessary certificates in their chain. Using data from Chrome’s Safe Browsing Extended Reporting program, we estimate that server chains with incorrect or missing intermediates account for >10% of all certificate validation errors in Chrome, and >30% of all certificate validation errors that occur in Chrome for Android. About 90% of the errors caused by missing or misconfigured intermediates occur on Android. To mitigate this problem, we propose to implement intermediate fetching (aka AIA fetching) in Clank.

This is an implementation bug. I accidentally linked the CLs to the view-restricted launch bug, so I'm just filing this bug to have them listed publicly somewhere:

- 6f57ec35020860e39d1b6f520169bbeb9f3790a8
- 9a263789936233caabe908fbd02c256ac96ffbad
- d91e0b2cf276c7586e1f923771227ce3175d54ed

Comment 1 by est...@chromium.org, Feb 3 2017

Blocking: 657549
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/40ec5a581b662b9f120e577df28363c3e5991990

commit 40ec5a581b662b9f120e577df28363c3e5991990
Author: estark <estark@chromium.org>
Date: Tue Feb 07 22:55:19 2017

Add AIA fetching feature info to certificate reports

This CL adds a bit to certificate reports to indicate whether the Android AIA
fetching feature is enabled. This will be used to pull out examples of
certificate error reports where AIA fetching was enabled but didn't help.

BUG= 688272 

Review-Url: https://codereview.chromium.org/2682733003
Cr-Commit-Position: refs/heads/master@{#448763}

[modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/cert_logger.proto
[modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/error_report.cc
[modify] https://crrev.com/40ec5a581b662b9f120e577df28363c3e5991990/components/certificate_reporting/error_report_unittest.cc
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96b1db92fdad353c2702419886d5732574eaab33

commit 96b1db92fdad353c2702419886d5732574eaab33
Author: estark <estark@chromium.org>
Date: Fri Feb 10 22:38:55 2017

Add UMA histogram for AIA fetching error codes

This CL records the net error code of AIA fetches attempted by
CertVerifyProcAndroid.

On canary AIA fetching is a bit less effective than I expected (kicking in
successfully for ~30% of ERR_CERT_AUTHORITY_INVALID errors instead of expected
~50%), and I'm trying to narrow down if that is due to e.g. random network
failures, or something else like insufficient path-building.

BUG= 688272 

Review-Url: https://codereview.chromium.org/2680323003
Cr-Commit-Position: refs/heads/master@{#449769}

[modify] https://crrev.com/96b1db92fdad353c2702419886d5732574eaab33/net/cert/cert_verify_proc_android.cc
[modify] https://crrev.com/96b1db92fdad353c2702419886d5732574eaab33/tools/metrics/histograms/histograms.xml

Sign in to add a comment