New issue
Advanced search Search tips

Issue 845028 link

Starred by 2 users
Status: WontFix
Owner:
rsleevi@chromium.org
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome on Windows 7 still accepts SHA-1 signed intermediate certificates erroneously

Reported by daniel.a...@gmail.com, May 20 2018 
VULNERABILITY DETAILS
Chrome accepts SHA-1 signed intermediate certificates even though it is not supposed to, provided that the end entity certificate is signed using SHA-256.
Chrome does not, however, show you the green lock icon. But you can still connect to the site without any SSL error page stopping or warning you.


I have tested this on multiple computers running Windows 7. At least two of them have the same Chrome Version, Release channel, Windows Version Windows Build and Service Pack 1 as shown down below.


VERSION
Chrome Version: 66.0.3359.181 stable
Operating System: Windows 7, version 6.1, build 7601: Service Pack 1

REPRODUCTION CASE
Visit https://sha1-intermediate.badssl.com/ (not my site) and see for yourself.

Comment 1 by mmoroz@chromium.org, May 21 2018

Components: Internals>Network>SSL
Labels: OS-Windows
Owner: rsleevi@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for your report. I am able to reproduce this on Windows, but not on Linux.

rsleevi@, is there anything specific on Windows, that could make it an intended behavior, or is it a valid bug? Thank you!

Comment 2 by elawrence@chromium.org, May 21 2018 

As of Issue 588789, comment #40 this is working as expected for compatibility reasons.

Comment 3 by rsleevi@chromium.org, May 21 2018

Status: WontFix (was: Assigned)
Yup, as Eric mentioned, WontFix/WAI for Windows for compat reasons, at least through 2019.

Comment 4 by daniel.a...@gmail.com, May 21 2018 

Excuse me, but can i please ask rsleevi@, how this is for compatibility reasons? On IE 11 on it rejects the certificate with a warning. On Firefox 60.0.1 too. Both on Windows 7 SP1.

If they can block SHA-1 signed intermediate  certificates, then Chrome would be able to do it too, am i correct? I know Firefox har it's own SSL stack, but IE 11 surely uses the built-in Windows component, or am i wrong?

Comment 5 by rsleevi@chromium.org, May 21 2018 

Firefox has its own certificate verification stack, yes. Microsoft uses a "less-than-documented" API that has a host of other interactions that do not interact well with some of other other uses, and does not interact well with testing (and can vary based on Windows version).

We've made an assessment on the basis of risk that intermediates pose versus the risks of the other API mitigations, and feel comfortable allowing this mitigation for the limited case of Windows 7 machines.
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 27

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment