Issue metadata
Sign in to add a comment
|
Security: Certificate details dialog on OS X can display the wrong certificate if you open it in two tabs simultaneously
Reported by
jo...@jonasledel.se,
Nov 21
|
||||||||||||||||||||||
Issue descriptionNot sure if this is actually a security bug or just UI, please advise if I should have posted this elsewhere. ------------------------- VULNERABILITY DETAILS If you have the certificate details dialog open i one tab, trying to open it in another tab will show the same dialog. An untrusted site can then have a "Valid certificate" (even though everything else still warns about it not being valid for that site, but in the dialog it looks lite it is) VERSION Chrome Version: 70.0.3538.77 (Officiell version) (64 bitar) Operating System: macOS Mojave, Version 10.14 on a MacBook Pro REPRODUCTION CASE Open two tabs, and go to google.com in the first, and somewhere with an invalid certificate in the other. In the first tab, click the lock in the address bar and then view the certificate details. Don't close the dialog. Go to the other tab, with an invalid certificate, and click warning message in the address bar, and view the details of the invalid certificate. The same dialog will now appear, saying that the *.google.com certificate is valid. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION n/a CREDIT INFORMATION Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited? Reporter credit: Jonas Ledel
,
Nov 22
,
Nov 23
Able to reproduce the issue on the reported chrome 70.0.3538.77,latest beta 71.0.3578.62 using Mac 10.14.0. As we have got good and bad behavior on branch builds and as this issue seems to be fixed in latest canary, hence providing the reverse bisect information from https://omahaproxy.appspot.com/. Bisect Info: ================ Good build: 72.0.3580.0 Bad build: 71.0.3578.62 CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/71.0.3578.0..72.0.3580.0?pretty=fuller&n=10000 Reviewed-on: https://chromium-review.googlesource.com/c/1271935 Greg Kerr:Please confirm the issue and help in re-assigning if it is not related to your change. Adding RBS label for M-71 feel free to change it if not required. Thanks!
,
Nov 23
,
Nov 26
mac triage: avi@ knows some about these dialogs.
,
Nov 26
I'm looking at this, and this looks like it's due to our use of the old Cocoa constrained window code when we switched to MacViews. I switched to the Views code with https://chromium-review.googlesource.com/c/chromium/src/+/1277578 and https://chromium-review.googlesource.com/c/chromium/src/+/1282363 (partial fix for bug 891699) and so this works correctly in 72.0.3582.0. I can't imagine trying to merge this to m70 as we're doing a stable cut of m71 tomorrow. Is this something we want to try to merge to m71? I don't know how easy a merge this will be, although this area of code hasn't had much change and it's probably not terrible.
,
Nov 26
This bug requires manual review: We are only 7 days from stable. Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 26
+awhalley@ (Security TPM) for M71 merge review. Pls note M71 is very close to stable promotion so we can take this merge in only if it is fully safe and critical. Thank you.
,
Nov 26
This can wait until M72. Thanks!
,
Nov 26
Closing then.
,
Nov 26
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Nov 21Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Mac Type-Bug