Issue metadata
Sign in to add a comment
|
Security: Invalid certificate accepted for one site is automatically allowed on another site
Reported by
sza...@gmail.com,
Dec 15 2017
|
||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. VULNERABILITY DETAILS When using a self signed certificate and it is accepted on a domain, on the other domain the certificate issue is not popped. So if you accept a self signed cert its not related to domain name, its accepted for all site which uses that invalid cert. VERSION Chrome version: Latest stable REPRODUCTION CASE Create a self signed certificate. Add it to 2 domains, and accept it at one of these domains when browsing. Navigate to the other domain and the cert will be automatically accepted and there is no warning.
,
Dec 15 2017
This would indeed be a surprising finding. Can you please provide a network log demonstrating this claim? The instructions for doing so can be found here: https://dev.chromium.org/for-testers/providing-network-details Can you also provide the Chrome and OS version information?
,
Dec 18 2017
I'm not able to reproduce the described issue using either Chrome 63 or Chrome 65 on Windows.
,
Dec 18 2017
I'll reproduce it, and send necessary files, sorry I did not have time in the past days.
,
Dec 18 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 19 2017
Still awaiting feedback from reporter.
,
Dec 22 2017
Howdy, original reporter. Can you please provide additional details requested in Comment #2? At present, this is not reproducible for us. Thanks! [Security impact and severity set tentatively based on what they're likely to be if the issue becomes reproducible]
,
Dec 22 2017
hey, yes I'll, I just didnt have time this week but i'll try to do my best and soon send more details.
,
Dec 22 2017
Thank you for providing more feedback. Adding requester "tsepez@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 23 2017
,
Dec 23 2017
,
Dec 28 2017
,
Jan 2 2018
Without the needed data from the original reporter, this issue will need to be closed as inactionable.
,
Jan 4 2018
As noted in #3, I wasn't able to reproduce this in general. The one thing that might be interesting to look at is whether this is a case where HTTP/2 is in use and coalescing has occurred. Coalescing behavior can be surprising and confusing (see e.g. https://bugs.chromium.org/p/chromium/issues/detail?id=789843#c8) but I don't think we should be doing such coalescing in the face of a certificate error. If we do, that seems wrong.
,
Jan 6 2018
I'm so sorry for late response. I was issuing this at our customer's production system, but I can not roll back that system to that invalid state, so I'm trying to setup a dev sys where I can use the same ip and same certificate like there. In meanwhile I tried to reproduce it, but it was not that easy like I wrote on page, maybe something was special on the environment.
,
Jan 6 2018
Thank you for providing more feedback. Adding requester "rsesek@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 23 2018
Before we close this as not-repro, davidben@, rsleevi@ -- Is there anything here that is cause for concern? Is there any possibility that we're doing H2 coalescing in this scenario in a way where an accepted invalid certificate is allowed for a different host?
,
Jan 23 2018
So, the logic for H/2 (and QUIC) coalescing is all centered around SpdySession::CanPool(), which is supposed to reject all cert errors ('supposed to' as in - that's what the code is written to do - see https://cs.chromium.org/chromium/src/net/spdy/chromium/spdy_session.cc?rcl=4f39d6332f9986292ee753e016883d7823fb3741&l=679 )
So I don't think so, I hope not, but without more data, I don't think we have anything we can act on.
,
Jan 23 2018
I'm sorry about it to wasted your time for it. I'll ask my colleague to set that system certificates back to that certs, and I'll send more details if possible, hopefully on this week, maybe at weekend. Thank you for your patience.
,
Feb 6 2018
If you can get a reliable reproduction case or network logs, please feel free to open a new bug. Thanks!
,
May 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dtapu...@chromium.org
, Dec 15 2017