New issue
Advanced search Search tips

Issue 695193 link

Starred by 1 user
Status: Duplicate
Merged: issue 686800
Owner: ----
Closed: Feb 2017
Cc:
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

net::ERR_UNEXPECTED when visiting https://astrakhan.ru (an ETLD) in Chrome

Reported by grigoryd...@gmail.com, Feb 22 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. Open https://astrakhan.ru in Chrome browser.
2. Open https://www.astrakhan.ru in Chrome browser.

What is the expected behavior?
Both websites should have a "secure" label

What went wrong?
While "https://www.astrakhan.ru" works just fine, Chrome shows a "net::ERR_UNEXPECTED" error for "https://astrakhan.ru" which leads to "Not Secure" label in address bar.

The issue can be reproduced on a PCs/Laptops/Smartphones with Chrome. However, "Not Secure" label appears only if you visited "https://astrakhan.ru" before SSL-certificate was installed. Firefox and IE are OK.

Did this work before? N/A 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by elawrence@chromium.org, Feb 22 2017

Components: Internals>Network>SSL
Status: Untriaged (was: Unconfirmed)
There's definitely something weird going on with this site. It goes to "Not Secure" without an interstitial first.
Unexpected.png
34.8 KB View Download

Comment 3 by elawrence@chromium.org, Feb 22 2017

Summary: net::ERR_UNEXPECTED when visiting https://astrakhan.ru (an ETLD) in Chrome (was: Issue with a HTTPS connection -- "net::ERR_UNEXPECTED")
The astrakhan.ru site is within the ICANN DOMAINS section of the list.

The PublicSuffixList.org site has the following to say:

"While some applications, such as browsers when considering cookie-setting, treat all entries the same, other applications may wish to treat ICANN domains and PRIVATE domains differently. For example, Certification Authorities checking for wildcard misissuance would not issue a "*.com" wildcard cert ("com" is in the ICANN domains list) but could legitimately issue a "*.appspot.com" wildcard cert to the domain owner, in this case Google ("appspot.com" is in the PRIVATE domains list)."

My reading here is that LetsEncrypt shouldn't have issued the certificate (as it's to a top-level-domain) and Chrome thus complains with a NON_UNIQUE_NAME error. https://cs.chromium.org/chromium/src/net/cert/cert_status_flags.cc?gsn=ERR_CERT_BEGIN&q=MapCertStatusToNetError&l=80
ends up mapping NON_UNIQUE_NAME to ERR_UNEXPECTED, for which we don't end up showing an interstitial.

Comment 4 by est...@chromium.org, Feb 22 2017

Cc: rsleevi@chromium.org
Components: Internals>Network>Certificate
sleevi: is it intentional that NON_UNIQUE_NAME gets mapped to ERR_UNEXPECTED? Also, is this cert for the astrakhan.ru TLD not supposed to exist?

Comment 5 by rsleevi@chromium.org, Feb 22 2017 

re: comment #3/#4 - astrakhan.ru was removed from the public suffix list, which is why Let's Encrypt issued for it.

The issue is our copy of the PSL is out of date (it was scheduled for an update tomorrow)

Comment 6 by rsleevi@chromium.org, Feb 23 2017

Labels: -Restrict-View-SecurityTeam
Mergedinto: 686800
Status: Duplicate (was: Untriaged)
I'm going to merge this into  Issue 686800 , which is the tracker bug for the next update of the PSL, which is scheduled for Chrome 57. That will resolve the UI discrepancies.

Comment 7 by rsleevi@chromium.org, Feb 23 2017

Labels: -Type-Bug-Security Type-Bug

Comment 8 by grigoryd...@gmail.com, Feb 23 2017 

Does it mean that "Secure" label will be available for Chome 57+ versions only?

Comment 9 by rsleevi@chromium.org, Feb 23 2017 

Correct

Comment 10 by grigoryd...@gmail.com, Feb 24 2017 

Well, that's bad news then.

Sign in to add a comment