New issue
Advanced search Search tips

Issue 843524 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: May 2018
Cc:
elawrence@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Google Chrome Trusting Revoked Certificates

Reported by isla...@aucegypt.edu, May 16 2018 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 66.0.3359.139 (Official Build)
Operating System: [Microsoft Windows 10 and MAC OSX]

REPRODUCTION CASE
Google Chrome accepts the revoked leaf certificate on the badssl.com domain intended for testing relying parties on digital certificates.
https://revoked.badssl.com/

Comment 1 by elawrence@chromium.org, May 16 2018

Cc: rsleevi@chromium.org
Components: Internals>Network>Certificate
Labels: Needs-Feedback OS-Windows
See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What_s-the-story-with-certificate-revocation for background.

This behavior is expected for Chrome on Android ( Issue 738805 ), but I thought the revoked.badssl.com certificate was in the CRLSet for desktop in general, so long as a CRL has been received ( Issue 727816 ).

If you visit chrome://components, what do you see for the CRLSets entry?

Comment 2 by isla...@aucegypt.edu, May 17 2018 

I find this:
CRLSet - Version: 4460
Status - Component not updated

I think this is the issue. When I check for updates, it fails. Why do you think this behavior occurs?

FYI, Safari and Mozilla on same machine detect the certificate is revoked.
Project Member

Comment 3 by sheriffbot@chromium.org, May 17 2018

Cc: elawrence@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by elawrence@chromium.org, May 17 2018

Labels: OS-Mac
When you say "It fails" can you be specific about what message you see?

As of today, the current latest CRLSet Version is 4461.

Can you also confirm that *after* checking that the version number is 4460, you're still not seeing the revoked.badssl.com site throwing a HTTPS error page in the same browser? Also please confirm that your PC isn't running through any sort of security software that might be proxying the connection and replacing the certificate? (AV and Enterprise proxy software often does this, for instance).

Comment 5 by mmoroz@chromium.org, May 21 2018

Labels: Needs-Feedback
Adding Needs-Feedback label as per c#4.

Comment 6 by elawrence@chromium.org, May 28 2018

Status: WontFix (was: Unconfirmed)
Closing due to lack of feedback and lack of repro. If you can reproduce this, please answer the questions in #4.
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 3

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment