New issue
Advanced search Search tips

Issue 815219 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug
Team-Security-UX



Sign in to add a comment

Add DevTools message for legacy Symantec certificates distrusted in M66

Project Member Reported by est...@chromium.org, Feb 23 2018

Issue description

To aid developers whose Symantec certificates no longer work in M66, add a DevTools console message. Because we can't be guaranteed to have the cert chain available from the cert verifier, this requires a new net error code and corresponding CertStatus flag. The new net error code also has the benefit of calling out the specific error on the interstitial, so that the problem can be diagnosed from a screenshot of the interstitial. We'll be able to reuse the new net error code for the next phase of distrust in M70.
 
Emily: Given that DevTools will open the security panel, not the console, on the error case, do we think a Console-specific message will be useful versus panel messaging? Just something I noticed when doing testing yesterday.

Comment 2 by est...@chromium.org, Feb 23 2018

I think it opens whatever panel you had open last. We could do both a console message and Security panel for maximum visibility. (Note that we'll get some visibility in security panel for "free" -- just by introducing the new net error code it'll say "This site is missing a valid, trusted certificate (net::ERR_CERT_LEGACY_SYMANTEC_ROOT)" rather than ERR_CERT_AUTHORITY_INVALID.)
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 27 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c6ee87489cbf795120163c5374c4ac9fbcf373fa

commit c6ee87489cbf795120163c5374c4ac9fbcf373fa
Author: Emily Stark <estark@google.com>
Date: Tue Feb 27 16:00:17 2018

Add new net error code for legacy Symantec certificates

This CL adds a new net error code for legacy Symantec certificates that are
being distrusted in M66 and M70. The net error code will display on the
interstitial, allowing the specific problem to be diagnosed from just a
screenshot of the interstitial. We can also use it to decide when to put a
console message in DevTools.

Because there is code that maps net error -> CertStatus -> net error, this also
requires a new CertStatus flag for the error.

Bug:  815219 
Change-Id: Ic15d6c96f8bdef38c26157af13bbf099fee43b70
Reviewed-on: https://chromium-review.googlesource.com/934969
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#539439}
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/chrome/browser/ssl/ssl_error_assistant.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/chrome/browser/ssl/ssl_error_assistant.proto
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/chrome/browser/ssl/ssl_error_handler.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/components/certificate_reporting/cert_logger.proto
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/components/certificate_reporting/error_report.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/components/ssl_errors/error_info.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/components/ssl_errors/error_info.h
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/net/base/net_error_list.h
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/net/cert/cert_status_flags.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/net/cert/cert_status_flags_list.h
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/c6ee87489cbf795120163c5374c4ac9fbcf373fa/tools/metrics/histograms/enums.xml

Project Member

Comment 4 by bugdroid1@chromium.org, Feb 28 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b9badd48c531332137b25a715c38e9e3b662066a

commit b9badd48c531332137b25a715c38e9e3b662066a
Author: Emily Stark <estark@google.com>
Date: Wed Feb 28 01:45:55 2018

Add DevTools message for Symantec certs that have been distrusted

We already have logging for certs that are slated to be distrusted in a future
release. But we should also have a log message for certs that already have been
distrusted, to aid site owners in debugging. This CL adds logging for resources
that failed to load due to a legacy Symantec cert.

Note: this doesn't yet cover iframes, that'll have to be done separately.

Bug:  815219 
Change-Id: I24a51011ef8d92668c184ec8fbd2e89969497b71
Reviewed-on: https://chromium-review.googlesource.com/938973
Commit-Queue: Emily Stark <estark@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#539641}
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.h
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/frame/LocalFrameClient.h
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/FrameFetchContext.h
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/WorkerFetchContext.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/core/loader/WorkerFetchContext.h
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/platform/loader/fetch/FetchContext.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/platform/loader/fetch/FetchContext.h
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/platform/network/NetworkUtils.cpp
[modify] https://crrev.com/b9badd48c531332137b25a715c38e9e3b662066a/third_party/WebKit/Source/platform/network/NetworkUtils.h

Project Member

Comment 5 by bugdroid1@chromium.org, Mar 3 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/97a8accfcb1462c88d5e412c5d5a62300956769e

commit 97a8accfcb1462c88d5e412c5d5a62300956769e
Author: Emily Stark <estark@google.com>
Date: Sat Mar 03 02:45:52 2018

Log console message for distrusted Symantec iframe resources

We currently log a warning message for subresources that use Symantec
certificates that have been distrusted. This message didn't fire, however, for
iframe main resources because Blink isn't notified about them in the same way
as it is other failed resource loads. To log for iframe main resources, the
logging logic is moved in RenderFrameImpl (from LocalFrameClientImpl) and
called when a frame fails to load.

This doesn't work 100% reliably for OOPIFs because of  https://crbug.com/817881 .

Bug:  815219 
Change-Id: I961a3e664c0383a7ff81be7def6de17185501243
Reviewed-on: https://chromium-review.googlesource.com/943984
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540727}
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/content/renderer/render_frame_impl.h
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.h
[modify] https://crrev.com/97a8accfcb1462c88d5e412c5d5a62300956769e/third_party/WebKit/public/web/WebFrameClient.h

Labels: Merge-Request-66
Requesting a merge for the commit in #5. I've verified it in canary and it's covered by automated tests as well (SymantecMessageSSLUITest.DistrustedIframeResource).
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 7 2018

Labels: -Merge-Request-66 Merge-Approved-66 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M66. Please go ahead and merge the CL to branch 3359 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 7 2018

Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402

commit 52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402
Author: Emily Stark <estark@google.com>
Date: Wed Mar 07 23:11:40 2018

Log console message for distrusted Symantec iframe resources

We currently log a warning message for subresources that use Symantec
certificates that have been distrusted. This message didn't fire, however, for
iframe main resources because Blink isn't notified about them in the same way
as it is other failed resource loads. To log for iframe main resources, the
logging logic is moved in RenderFrameImpl (from LocalFrameClientImpl) and
called when a frame fails to load.

This doesn't work 100% reliably for OOPIFs because of  https://crbug.com/817881 .

Bug:  815219 
Change-Id: I961a3e664c0383a7ff81be7def6de17185501243
Reviewed-on: https://chromium-review.googlesource.com/943984
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Emily Stark <estark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#540727}(cherry picked from commit 97a8accfcb1462c88d5e412c5d5a62300956769e)
Reviewed-on: https://chromium-review.googlesource.com/954082
Reviewed-by: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#78}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/content/renderer/render_frame_impl.h
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.h
[modify] https://crrev.com/52c2ad21d9d0c7d1bbcdca45c33ea9270e2ee402/third_party/WebKit/public/web/WebFrameClient.h

Comment 9 by est...@chromium.org, Mar 16 2018

Status: Fixed (was: Assigned)

Sign in to add a comment