New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug
Team-Security-UX


Show other hotlists

Hotlists containing this issue:
Security-UX-WebDev


Sign in to add a comment

Security Panel of Developer Tools should show meaningful error message for SubjectCN Deprecation

Project Member Reported by elawrence@chromium.org, Mar 21 2017

Issue description

Chrome Version: 59.0.3046.0

In  Issue 308330 , we deprecated SubjectCN matching in certificate analysis, but the Developer Tools' Security Panel makes no note of this. 

We should show a warning if the certificate lacks SubjectAltNames.

 
We could tag the SecurityInfo with a specific security_info.san_missing boolean, then add an unauthenticated explanation as we do for SHA1:

https://cs.chromium.org/chromium/src/components/security_state/content/content_utils.cc?rcl=a0deb934a1ad2505bf0b9862adc8201cfcda0d68&l=222
Labels: Hotlist-Security-UX-WebDev
Labels: M-59 OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: rsleevi@chromium.org
Status: Started (was: Assigned)
Did this in https://codereview.chromium.org/2761333002/ 

Given that the strings aren't translatable, is it something we may want to consider for a merge? I leave that to y'all to determine once it lands.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/74a7a294c2802cf5b65bf0c0d4f44ba093aae216

commit 74a7a294c2802cf5b65bf0c0d4f44ba093aae216
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Mar 22 04:47:58 2017

Add a DevTools warning for a missing subjectAltName

BUG= 703616 

Review-Url: https://codereview.chromium.org/2761333002
Cr-Commit-Position: refs/heads/master@{#458631}

[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/content/BUILD.gn
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/content/content_utils.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/content/content_utils_unittest.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/core/security_state.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/core/security_state.h
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state/core/security_state_unittest.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/components/security_state_strings.grdp
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate.h
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_ios.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_mac.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_nss.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_openssl.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_certificate_win.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_util_nss.cc
[modify] https://crrev.com/74a7a294c2802cf5b65bf0c0d4f44ba093aae216/net/cert/x509_util_nss.h

Cc: elawrence@chromium.org
Labels: Merge-Request-58
Status: Fixed (was: Started)
Requesting merge to M58, as that's when the deprecation is landing and when the impact on developers is likely to be greatest.
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 22 2017

Labels: -Merge-Request-58 Merge-Review-58 Hotlist-Merge-Review
This bug requires manual review: There is .grd file changes and we are only 33 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Verified (was: Fixed)
The fix looks good.
SANMissing.jpg
76.8 KB View Download
Labels: -Merge-Review-58 Merge-Approved-58
Yay for providing developers warnings.  Merge approved for M58 branch 3029.
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 22 2017

Labels: -merge-approved-58 merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9fc258ccd72adb084aacbabe86a9c1829cc8217f

commit 9fc258ccd72adb084aacbabe86a9c1829cc8217f
Author: Ryan <rsleevi@chromium.org>
Date: Wed Mar 22 18:04:50 2017

Add a DevTools warning for a missing subjectAltName

BUG= 703616 

Review-Url: https://codereview.chromium.org/2761333002
Cr-Commit-Position: refs/heads/master@{#458631}
(cherry picked from commit 74a7a294c2802cf5b65bf0c0d4f44ba093aae216)

Review-Url: https://codereview.chromium.org/2770713002 .
Cr-Commit-Position: refs/branch-heads/3029@{#363}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/content/BUILD.gn
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/content/content_utils.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/content/content_utils_unittest.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/core/security_state.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/core/security_state.h
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state/core/security_state_unittest.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/components/security_state_strings.grdp
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate.h
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_ios.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_mac.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_nss.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_openssl.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_certificate_win.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_util_nss.cc
[modify] https://crrev.com/9fc258ccd72adb084aacbabe86a9c1829cc8217f/net/cert/x509_util_nss.h

Cc: kavvaru@chromium.org
Labels: Needs-Feedback
Tested the issue on windows 7,Ubuntu 14.04 and Mac 10.12.3 using chrome version 58.0.3029.41 with the steps below

1.Opened the Non secure URL https://pinningtest.appspot.com/
2.Opened Security in devtools
3.Not seen the warning message as like in screen shot #7.

rsleevi@ Could you please find the attached screen shot and confirm on the expected behaviour.

Note:: The URL "https://textslashplain.com/" mentioned in screenshot opened as secure webpage.hence used another URL for testing.

Thanks,
703616.png
95.1 KB View Download
Testing this change requires a site use a certificate with a specific problem (no SubjectAltNames); the pinningtest certificate does not have that problem. 

Because public certificate authorities will not issue certificates with this problem, there's not a good public test page for this as far as I know. I do my testing by running sites through the Fiddler proxy with the legacy MakeCert generator enabled (makecert's certificates do not have SubjectAltNames). An alternative would be to stand up a local test server with a self-signed (but manually trusted) certificate that has this problem.

I've verified this fix in M59 (looks great!) but haven't looked at it in M58.
Labels: -Hotlist-Merge-Review

Sign in to add a comment