VULNERABILITY DETAILS

Windows 10 includes a feature called "Enterprise Certificate Pinning", which modifies the behavior of the CertVerifyCertificateChainPolicy and WinVerifyTrust API calls.  When Enterprise Certificate Pinning is enabled, both API calls check whether the certificate chain includes a trust anchor specified in the Enterprise Certificate Pinning configuration.  More information about Enterprise Certificate Pinning is at https://docs.microsoft.com/en-us/windows/security/identity-protection/enterprise-certificate-pinning .

As far as I can tell based on looking at verbose debug output of Microsoft's tools, Enterprise Certificate Pinning works by making the aforementioned API calls return the error code 0x80092010 (CRYPT_E_REVOKED) or 0x800b010f (CERT_E_CN_NO_MATCH), depending on whether Enterprise Certificate Pinning is configured to produce non-bypassable or bypassable errors, respectively.

Chrome doesn't seem to notice when an Enterprise Certificate Pinning error occurs; while Edge shows a TLS error, Chrome loads the website without showing any errors.  This occurs regardless of which of the two possible error codes Enterprise Certificate Pinning is configured to produce.  It definitely looks like Chrome is calling the correct API's, because Enterprise Certificate Pinning does log the pinning failures to the Windows event log.  I infer that Chrome is just ignoring the errors rather than canceling the TLS handshake.

VERSION

Chrome Version: Version 71.0.3553.2 (Official Build) canary (32-bit)
Operating System: Windows 10 Pro, Version 1803, OS build 17134.285

REPRODUCTION CASE

Save the attached PinRulesBitcoin.xml.  Then create a subdirectory of the directory where PinRulesBitcoin.xml is placed, named "BitcoinCerts".  Place a DER-encoded end-entity certificate in that directory that doesn't correspond to the www.bitcoin.org certificate (I used the end-entity certificate that's served when visiting https://www.badssl.com/ ).

Then run the following two commands from a command prompt while in the working directory where PinRulesBitcoin.xml is located (the latter must be run as an elevated user):

certutil -f -v -generatePinRulesCTL PinRulesBitcoin.xml PinRulesBitcoin.ctl
certutil -setreg chain\PinRules @PinRulesBitcoin.ctl

Then, visit https://www.bitcoin.org/ in both Edge and Chrome.

EXPECTED BEHAVIOR

Both Edge and Chrome should show a TLS error indicating that the certificate has been revoked.

OBSERVED BEHAVIOR

Edge behaves as expected; Chrome loads the website without showing any errors.

ADDITIONAL NOTES

I wasn't sure whether to submit this as a security bug or a general bug.  Probably depends on whether correct behavior of OS-level certificate pinning is considered security-related by the Chromium project.  If you think it's not a security bug, that's fine, feel free to reclassify accordingly -- I'd just rather that you make that call rather than me making it for you.
 

Deleted: PinRulesBitcoin.xml 220 bytes

PinRulesBitcoin.xml 220 bytes View Download