New issue
Advanced search Search tips

Issue 821938 link

Starred by 3 users
Status: Duplicate
Merged: issue 588789
Owner:
est...@chromium.org
Closed: Apr 2018
Cc:
vamshi.kommuri@chromium.org
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Developer Tools Security tab still shows the main origin as secure even if its intermediate issuer certificate is signed using SHA-1

Reported by 93m4qau...@gmail.com, Mar 14 2018 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3370.0 Safari/537.36

Steps to reproduce the problem:
1. Open https://sha1-intermediate.badssl.com.
2. Press Ctrl+Shift+I to open Developer Tools.
3. Click on the Security tab.
4. Press Ctrl+R to reload the page (while keeping Developer Tools open).
5. Look under "Main origin".

What is the expected behavior?
Since the certificate chain for the site contains a certificate signed using SHA-1, the main origin ("https://sha1-intermediate.badssl.com") is considered insecure.

What went wrong?
Even though the certificate chain for the site contains a certificate signed using SHA-1 - downgrading the security status in the omnibox and in the "Security overview" in Developer Tools - the main origin is still considered secure.

Did this work before? N/A 

Chrome version: 67.0.3370.0  Channel: canary
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:
SHA1 Intermediate.PNG
120 KB View Download

Comment 1 by viswa.karala@chromium.org, Mar 15 2018

Labels: Needs-Triage-M67

Comment 2 by vamshi.kommuri@chromium.org, Mar 19 2018

Cc: vamshi.kommuri@chromium.org
Labels: Triaged-ET M-67 Target-67 FoundIn-67
Status: Untriaged (was: Unconfirmed)
Thanks for filing the issue!

Able to reproduce the issue on reported chrome version 67.0.3370.0 using Windows 7 and latest canary 67.0.3375.0.
Note: Issue is not seen on Windows 10 and Ubuntu 14.04. Unable to check the same on Mac 10.13.1 as our network isn't allowing us to navigate to the given URL.
The issue is seen from M60(60.0.3080.0) hence considering it as Non-Regression and marking it as Untriaged.
Attaching the screenshot from M60 for reference.
821938 M60.PNG
263 KB View Download

Comment 3 by l...@chromium.org, Apr 2 2018

Cc: elawrence@chromium.org
Components: -Platform>DevTools Platform>DevTools>Security
Owner: est...@chromium.org
Status: Assigned (was: Untriaged)
Could elawrence@ or estark@ please take a look?

Comment 4 by elawrence@chromium.org, Apr 2 2018 

I believe this is working as expected due to a compatibility accommodation for Windows 7 pathbuilding. I can try and find the duplicate bug shortly.

Comment 5 by elawrence@chromium.org, Apr 3 2018

Mergedinto: 767036
Status: Duplicate (was: Assigned)
This is expected behavior on Windows 7 only. Windows 7 does not provide sufficient control over how the chain is built, meaning that it may build a chain through a SHA-1 intermediate when a SHA-256 intermediate is also available.

Comment 6 by 93m4qau...@gmail.com, Apr 5 2018 

Why is that bug view restricted? Is there sensitive security content in it, or is it just Google Chromium paranoia?

Comment 7 by elawrence@chromium.org, Apr 6 2018

Mergedinto: -767036 588789
Okay, an unrestricted duplicate is here: https://bugs.chromium.org/p/chromium/issues/detail?id=588789#c35

Sign in to add a comment