false report certificate pinning
Reported by
market...@newint.com.au,
Jun 5 2018
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15 Steps to reproduce the problem: 1. Chrome with Norton Security 2. https://digital.neiwnt.com.au 3. falsely reports NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN What is the expected behavior? in incognito mode and in other browsers is all OK - certificate changed over a week ago What went wrong? false report: Your connection is not private Attackers might be trying to steal your information from digital.newint.com.au (for example, passwords, messages or credit cards). Learn more NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Did this work before? N/A Chrome version: 67.0.3396.62 Channel: stable OS Version: OS X 10.13.4 Flash Version: I am getting similar sporadic reports from other users of our site https://digital.newint.com.au for the past 2 weeks.
,
Jun 5 2018
Yes, that’s correct. Until a few weeks ago we were sending a Public-Key-Pins directive. Is there some way we can get rid of the old cached pinning? It’s obviously unsatisfactory for our subscribers to have to wait for weeks for caches to clear automatically so that they can access their subscription magazines. Thanks. Cheers, Brian ----------------------------------------------------------------- Brian Loffler Outreach Director - Eco-activism for a fair planet marketing@newint.com.au <mailto:marketing@newint.com.au> digital.newint.com.au <http://digital.newint.com.au/> ph 08 8232 1563 ----------------------------------------------------------------- Sign up for our email newsletters - campaign updates - latest stories from the New Internationalist magazine www.newint.com.au/news <http://www.newint.com.au/shop/newsletter.htm> ----------------------------------------------------------------- Fresh ideas for a better world New Internationalist Publications Pty Ltd ABN 11 005 523 124 172 Gilles St, ADELAIDE SA 5000 (previously Austin St) AUSTRALIA Blog: http://www.newint.com.au/blog/ <http://www.newint.com.au/blog/> Facebook: https://www.facebook.com/newint.au <https://www.facebook.com/newint.au> Twitter: https://twitter.com/newint_au Instagram: https://www.instagram.com/newint_au/ <https://www.instagram.com/newint_au/> Tumblr: http://newintoz.tumblr.com <http://newintoz.tumblr.com/> Flickr: http://www.flickr.com/photos/ni-magazine/ <http://www.flickr.com/photos/ni-magazine/> Pinterest: http://www.pinterest.com/newintau/ <http://www.pinterest.com/newintau/> Google+: https://plus.google.com/+NewintAu <https://plus.google.com/+NewintAu> LinkedIn: http://www.linkedin.com/pub/brian-loffler/4/683/678 <http://www.linkedin.com/pub/brian-loffler/4/683/678>
,
Jun 5 2018
It sounds like everything is working as expected then. The Public-Key-Pins header specifies how long it is valid for-- servers may request caching for up to 60 days (https://codereview.chromium.org/1733973004). Individual users may remove pinning entries by visiting chrome://net-internals/#hsts To fix this from the server side, you'll need to reprovision your server with a cert chain that contains a certificate with the pinned SPKI value.
,
Jun 5 2018
Thank you.
,
Jun 6 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by elawrence@chromium.org
, Jun 5 2018Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug