New issue
Advanced search Search tips

Issue 871007 link

Starred by 1 user
Status: WontFix
Owner:
davidben@chromium.org
Closed: Aug 7
Cc:
mattm@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

--disable-features=SSLCommonNameMismatchHandling" not working / breaching our security

Reported by arjuniet...@gmail.com, Aug 4 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:61.0) Gecko/20100101 Firefox/61.0

Steps to reproduce the problem:
 Issue 870739  in chromium: CNAME redirection possible to exploit

you cant close that issue , its not that simple

What is the expected behavior?
you gave me a non working solution and closed the issue ? why ?

What went wrong?
No it didn't worked for me . I launched crome as you guided said with the switch you said ..same situation not blocking even now ..
And as you said a technically incorrect statement "IF SSL OF WWW IS PROVIDED SWITCHING BETWEEN WWW<----> NON WWW WILL BE SEEN cname redirect will not be followeed .

As per my understanding browser will first lookup dns ..got redirected by CNAME and the the tls handhake begins and SAN will be looked for domain in request and that is the CNAME redirected one

We are facing a potential secrurity issue owing to it ...plz get it resolved 

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: OS X 10.12
Flash Version: 

 Issue 870739  in chromium: CNAME redirection possible to exploit
you gave me a non working solution and closed the issue ? why ?

Comment 1 by mmoroz@chromium.org, Aug 6

Cc: mattm@chromium.org
Components: Internals>Network>SSL
Labels: Team-Security-UX
Owner: davidben@chromium.org
Status: Assigned (was: Unconfirmed)
Passing this over to davidben@ and mattm@ in case there was any misunderstanding in  issue 870739 .

Comment 2 by mmoroz@chromium.org, Aug 6 

 Issue 871008  has been merged into this issue.

Comment 3 by arjuniet...@gmail.com, Aug 6 

In Google chrome on my Ubuntu desktop the feature SSLCommonNameMismatchHandling even upon disabling is not giving the expected result 
I am getting redirected to non www veriom

Comment 4 by mattm@chromium.org, Aug 6

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Bug
I just tested and the --disable-features=SSLCommonNameMismatchHandling flag works for me. Make sure you have fully exited Chrome before trying, if Chrome is already running the flag won't take effect. Please try that and let us know if it works for you.

As for the rest, comment #4 on the other issue explains in detail what is happening: https://bugs.chromium.org/p/chromium/issues/detail?id=870739#c4
Once again, it has nothing to do with DNS CNAME and does not "breach your security".

Comment 5 by arjuniet...@gmail.com, Aug 7 

I just tested and the --disable-features=SSLCommonNameMismatchHandling flag
works for me. Make sure you have fully exited Chrome before trying, if
Chrome is already running the flag won't take effect. Please try that and
let us know if it works for you.

yes it works , after i closed all earlier instances

Comment 6 by rsleevi@chromium.org, Aug 7

Status: WontFix (was: Assigned)

Sign in to add a comment