New issue
Advanced search Search tips

Issue 873690 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 13
Cc:
carlosil@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Invalid SSL certificate accepted as secure!!

Reported by teo8...@gmail.com, Aug 13 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

Steps to reproduce the problem:
(WARNING: example URL contains explicit sex content)

1. visit https://www.sexbarcelona.es/rosa

What is the expected behavior?
Should show the alert about an insecure connection, because the SSL certificate is invalid. Only by clicking "advanced" and "proceed at your own risk" (or whatever it's called), should one be allowed to browse the website, and even then, the "https" and the lock icon on the left of the address bar should be red and with a strike-through line

What went wrong?
It shows no warning, and it says "Secure" next to the address bar.

Try this from a command line:

p# wget https://www.sexbarcelona.es/rosa
--2018-08-13 18:20:03--  https://www.sexbarcelona.es/rosa
Resolving www.sexbarcelona.es (www.sexbarcelona.es)... 217.116.0.191
Connecting to www.sexbarcelona.es (www.sexbarcelona.es)|217.116.0.191|:443... connected.
ERROR: The certificate of `www.sexbarcelona.es' is not trusted.
ERROR: The certificate of `www.sexbarcelona.es' hasn't got a known issuer.

From another machine:
# wget https://www.sexbarcelona.es/rosa
wget: /usr/lib/libcrypto.so.0.9.8: no version information available (required by wget)
wget: /usr/lib/libssl.so.0.9.8: no version information available (required by wget)
--2018-08-13 18:18:37--  https://www.sexbarcelona.es/rosa
Resolving www.sexbarcelona.es... 217.116.0.191
Connecting to www.sexbarcelona.es|217.116.0.191|:443... connected.
ERROR: cannot verify www.sexbarcelona.es's certificate, issued by "/C=GB/ST=Bristol/L=Bristol/O=Basekit Ltd/OU=Certification Services/CN=*.invalid.domain/emailAddress=infrastructure@basekit.com":
  Self-signed certificate encountered.
ERROR: certificate common name "*.invalid.domain" doesn't match requested host name "www.sexbarcelona.es".
To connect to www.sexbarcelona.es insecurely, use '--no-check-certificate'.

Did this work before? N/A 

Chrome version: 68.0.3440.75  Channel: n/a
OS Version: 
Flash Version: 

Firefox considers that secure, too, but it seems pretty evident that both browsers are wrong.

Comment 1 by teo8...@gmail.com, Aug 13 

I chose "security" as the issue category because that's what I think it is, but I think access to the issue can be unrestricted to the public.

Comment 2 by jialiul@chromium.org, Aug 13

Components: UI>Browser>Interstitials Internals>Network>SSL
Status: Available (was: Unconfirmed)
Thanks for reporting! We're looking into this issue. 
Maybe related to  issue 873177 .

Comment 3 by carlosil@chromium.org, Aug 13

Cc: carlosil@chromium.org

Comment 4 by carlosil@chromium.org, Aug 13

Status: WontFix (was: Available)
Looks like this is a site issue. The site sends a valid certificate to clients that send Server Name Information (like Chrome and Firefox), and an invalid one (the one you pasted) to clients that don't (like wget). Marking this as WontFix since Chrome is receiving a valid certificate and correctly marking it as valid.

(SSLLabs report that shows the issue: https://www.ssllabs.com/ssltest/analyze.html?d=www.sexbarcelona.es)

Comment 5 by jialiul@chromium.org, Aug 13

Labels: -Type-Bug-Security Type-Bug

Comment 6 by jialiul@chromium.org, Aug 13

Labels: -Restrict-View-SecurityTeam -Via-Wizard-Security

Sign in to add a comment