Incorrect "Certificate (valid)" in secure chip dropdown
Reported by
mccarthy...@gmail.com,
Aug 1
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Steps to reproduce the problem: 1. Visit a site that has both an invalid certificate and a Safe Browsing interstitial. 2. Click through both interstitials (although note Issue 869894 may make this hard) 3. The secure chip has the exclamation mark and says "Dangerous" but the dropdown says "Certificate (valid)" What is the expected behavior? Dropdown should show "Certificate (Invalid)" like it does for the same error on a site like https://wrong.host.badssl.com/. What went wrong? "Certificate (Valid)" is shown for a certificate with mismatched name. Did this work before? N/A Chrome version: 68.0.3440.75 Channel: stable OS Version: Flash Version: If the certificate interstitial is shown first then the dropdown correctly shows "Certificate (Invalid)" and the chip states "Not secure". However, this is overwritten by the Safe Browsing interstitial. Attached is a video.
,
Aug 1
,
Aug 2
Reporter@ - Thanks for filing the issue...!! Could you please provide a sample test file/url to test the issue from TE-end. This will help us in triaging the issue further. ccing carlosil@ from related issue id: 869894 for further inputs on this issue. Thanks...!!
,
Aug 2
Unfortunately, the phishing domain I was using to test (allaboutpeanut.net) has gone offline. The domain is still flagged by Safe Browsing though so the issue can be reproduced locally by adding a "127.0.0.1 allaboutpeanut.net" line to /etc/hosts and serving a page over broken https on local host. Then just go to https://allaboutpeanut.net. I have it reproducing locally if needed.
,
Aug 2
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2
Also, forgot to mention in original report, similar behaviour was seen in Windows and Android Chrome too.
,
Aug 17
Tried testing the issue on ubuntu 17.10 and win-10 using latest stable #68.0.3440.106 by navigating to http://allaboutpeanut.net/. But observed that the secure chip has the exclamation mark and says "Dangerous" but the dropdown doesn't show any info regarding certificate. mccarthy.brianjames@ - Could you please provide any other sample url to test the issue from TE-end. Thanks...!!
,
Aug 22
Sorry just seeing this, for some reason didn't get an email. You can try https://phuonghoangtourist.com.vn/Login_Main.serv.xhtml.php (Un)fortunately phishing sites disappear quickly so it may be down by the time you look. This is the same thing, chip has "Dangerous" but dropdown show "Certificate (Valid)" Thanks.
,
Aug 22
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 25
I figured out that I didn't get an email because it contained a phishing link so gmail sent to straight to spam. Replying again, just in case the same thing happened to the cc's here. Link in comment #8 still works as test case. Make sure you use https so you get broken cert as well as safe browsing warning.
,
Sep 12
Thanks for the report. Confirmed that this happens on the URL in #8. Separate from this, I'll try to think if there's a decent way to add a "multiple interstitials" test domain somewhere. Given that this is affecting W/L/A, I'm going to speculatively also mark ChromeOS/Mac/Fuschia which have the same interstitials and security indicators. carlosil@ I'll put this in your queue for now. Do you think this will also be affected by committed interstitials (like Issue 869894)? |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by swarnasree.mukkala@chromium.org
, Aug 1