New issue
Advanced search Search tips

Issue 799800 link

Starred by 2 users
Status: Archived
Owner:
est...@chromium.org
Closed: Mar 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Omnibox indicates 'Not secure' for a short period after installation of a valid certificate.

Reported by p...@lo.vc, Jan 7 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Steps to reproduce the problem:
1. Prepare a self-signed (i.e. untrusted) and a trusted certificate for the same domain on a webserver. Install the untrusted one.
2. Access the web server. Click through the 'untrusted' warning. The Omnibox will correclty indicate 'Not secure'.
3. Re-configure the web server to use the trusted certificate and restart it.
4. Re-load the page in Chrome. The Omnibox will still indicate 'Not secure'. Click the Indicator. The PageInfo bubble indicates 'Certificate: Valid', and the correct issuer.

What is the expected behavior?
Both the Omnibox and the PageInfo bubble should indicate a Secure connection and valid certificate.

What went wrong?
The Omnibox indicates that the connection is not secure. The PageInfo bubble indicates it is.

Did this work before? N/A 

Chrome version: 63.0.3239.84  Channel: stable
OS Version: 10.0
Flash Version: 

Closing the tab and opening the page in a new one resolved the issue.

Comment 1 by p...@lo.vc, Jan 7 2018

chrome-omnibox-vs-pageinfo.png
31.3 KB View Download

Comment 2 by krajshree@chromium.org, Jan 8 2018

Labels: Needs-Triage-M63

Comment 3 by krajshree@chromium.org, Jan 11 2018

Components: Internals>Network>Certificate
Requesting someone from Internals>Network>Certificate team to please help us in looking into the issue.

Thanks...!!

Comment 4 by rsleevi@chromium.org, Jan 11 2018

Components: -UI UI>Browser>Omnibox>SecurityIndicators
Redirecting to UI>Browser>Omnibox>SecurityIndicators

I believe this is Working As Intended. Once you accept invalid certificates/potentially malicious content in a renderer process (whether active mixed scripting or invalid certificates), the renderer's security status is marked as compromised. That behaviour may have changed though - the UI team owns that :)

Comment 5 by benwells@chromium.org, Jan 12 2018

Owner: est...@chromium.org
Status: Assigned (was: Unconfirmed)
assigning to estark@ to look into.

Comment 6 by buergi.l...@gmail.com, Jan 29 2018 

I suggest that if the insecure page is reloaded by the user and the page now has a valid certificate, that you destroy the renderer process and create a new, clean, secure one for the newly loaded site.

Reasoning: I don't know about the details of chrome, but it both seems sensible to keep a once tainted process tainted forever and to make the warning go away as soon as possible.

Comment 7 by est...@chromium.org, Jan 29 2018

Labels: Needs-Feedback
My guess is that there is a resource in the memory cache from the connection with the invalid certificate, and that is causing the page security state to be downgraded. To confirm, can you please take a screenshot of the DevTools security tab after reloading the page with the now-valid certificate?

Comment 8 by rch@chromium.org, Feb 21 2018 

Friendly ping. Can you please provide the information requested in Comment #7? Otherwise we will need to close the bug because of inactivity.

Comment 9 by csharrison@chromium.org, Mar 6 2018

Status: Archived (was: Assigned)
Archiving due to inactivity. ph@lo.vc, please file a new issue if you can reproduce with the information requested in #7.

Sign in to add a comment