Issue 756639 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	elawrence@chromium.org
Closed:	Nov 2017
Components:	UI>Browser>Omnibox>SecurityIndicators
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug
Hotlist-EnamelAndFriendsFixIt
Team-Security-UX

Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt

SECURE_WITH_POLICY_INSTALLED_CERT shouldn't trump passive mixed content

Project Member Reported by elawrence@chromium.org, Aug 17 2017

Issue description

If your ChromeOS profile has ever[1] loaded a page with a policy-installed certificate, passive mixed content will NEVER downgrade the security level of any HTTPS page to non-secure (i) ever again due to an early return[2] in GetSecurityLevelForRequest.

If we cannot get rid of SECURE_WITH_POLICY_INSTALLED_CERT entirely, we should at least move the passive mixed-content check up above this return.

[1] https://cs.chromium.org/chromium/src/chrome/browser/ssl/security_state_tab_helper.cc?l=162&rcl=960de3d987f6b5e35fac71e448c2c4e73775fba7

[2] https://cs.chromium.org/chromium/src/components/security_state/core/security_state.cc?l=187&rcl=e678360b346017027dfa053388720abd3abed1ad

Comment 1 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Project Member

Comment 2 by bugdroid1@chromium.org, Nov 21 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/53f285604abd6224d940f04f2293614fdf1535d1

commit 53f285604abd6224d940f04f2293614fdf1535d1
Author: Eric Lawrence <elawrence@chromium.org>
Date: Tue Nov 21 20:36:59 2017

Mixed content and SHA1 should override SECURE_WITH_POLICY_INSTALLED_CERT

On ChromeOS, any prior observation of a policy-installed cert is an
indicator of a MITM being present (the enterprise). Previously, the
SECURE_WITH_POLICY_INSTALLED_CERT security level was returned even if
the page contained mixed content or used a SHA-1 certificate. Instead,
such problems should impact the security level instead of being ignored.

Bug:  756639 
Change-Id: I4e87fc6039eb76ff8b5b87612c5d0dc004ddd867
Reviewed-on: https://chromium-review.googlesource.com/779743
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518374}
[modify] https://crrev.com/53f285604abd6224d940f04f2293614fdf1535d1/components/security_state/core/security_state.cc
[modify] https://crrev.com/53f285604abd6224d940f04f2293614fdf1535d1/components/security_state/core/security_state.h
[modify] https://crrev.com/53f285604abd6224d940f04f2293614fdf1535d1/components/security_state/core/security_state_unittest.cc

Comment 3 by elawrence@chromium.org, Nov 27 2017

Status: Fixed (was: Assigned)

Comment 4 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 5 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)

►

Issue 756639 link

Issue metadata

SECURE_WITH_POLICY_INSTALLED_CERT shouldn't trump passive mixed content

Issue description

Comment 1 by est...@chromium.org, Nov 10 2017

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Nov 21 2017

Comment 2 Deleted

Comment 3 by elawrence@chromium.org, Nov 27 2017

Comment 3 Deleted

Comment 4 by dchan@chromium.org, Jan 22 2018

Comment 4 Deleted

Comment 5 by dchan@chromium.org, Jan 23 2018

Comment 5 Deleted

Sign in to add a comment