New issue
Advanced search Search tips

Issue 907413 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Nov 26
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Security: Certificate details dialog on OS X can display the wrong certificate if you open it in two tabs simultaneously

Reported by jo...@jonasledel.se, Nov 21

Issue description

Not sure if this is actually a security bug or just UI, please advise if I should have posted this elsewhere.

-------------------------

VULNERABILITY DETAILS
If you have the certificate details dialog open i one tab, trying to open it in another tab will show the same dialog. An untrusted site can then have a "Valid certificate" (even though everything else still warns about it not being valid for that site, but in the dialog it looks lite it is)

VERSION
Chrome Version: 70.0.3538.77 (Officiell version) (64 bitar)
Operating System: macOS Mojave, Version 10.14 on a MacBook Pro

REPRODUCTION CASE
Open two tabs, and go to google.com in the first, and somewhere with an invalid certificate in the other.

In the first tab, click the lock in the address bar and then view the certificate details. Don't close the dialog.

Go to the other tab, with an invalid certificate, and click warning message in the address bar, and view the details of the invalid certificate. The same dialog will now appear, saying that the *.google.com certificate is valid.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
n/a

CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: Jonas Ledel

 
Skärmavbild 2018-11-21 kl. 10.04.16.png
333 KB View Download
Components: UI>Browser>CertificateViewer
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Mac Type-Bug
Based on the level of interaction I don't think we need to treat this as a vulnerability, though it certainly sounds like a bug. Flipping some labels around.
Labels: Needs-Triage-M70
Cc: phanindra.mandapaka@chromium.org
Labels: -Type-Bug RegressedIn-71 Triaged-ET Target-71 M-71 FoundIn-71 FoundIn-70 Pri-1 Type-Bug-Regression
Owner: kerrnel@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on the reported chrome 70.0.3538.77,latest beta 71.0.3578.62 using Mac 10.14.0. As we have got good and bad behavior on branch builds and as this issue seems to be fixed in latest canary, hence providing the reverse bisect information from https://omahaproxy.appspot.com/. 

Bisect Info:
================
Good build: 72.0.3580.0
Bad build:  71.0.3578.62

CHANGELOG URL:
https://chromium.googlesource.com/chromium/src/+log/71.0.3578.0..72.0.3580.0?pretty=fuller&n=10000

Reviewed-on: https://chromium-review.googlesource.com/c/1271935

Greg Kerr:Please confirm the issue and help in re-assigning if it is not related to your change. Adding RBS label for M-71 feel free to change it if not required.

Thanks!
Labels: -RegressedIn-71 RegressedIn-70
Labels: -Pri-1 -M-71 -Target-71 Target-73 M-73 Pri-2
Owner: a...@chromium.org
mac triage: avi@ knows some about these dialogs.
Labels: Merge-Request-71
I'm looking at this, and this looks like it's due to our use of the old Cocoa constrained window code when we switched to MacViews. I switched to the Views code with https://chromium-review.googlesource.com/c/chromium/src/+/1277578 and https://chromium-review.googlesource.com/c/chromium/src/+/1282363 (partial fix for bug 891699) and so this works correctly in 72.0.3582.0.

I can't imagine trying to merge this to m70 as we're doing a stable cut of m71 tomorrow. Is this something we want to try to merge to m71? I don't know how easy a merge this will be, although this area of code hasn't had much change and it's probably not terrible.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 26

Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: We are only 7 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@google.com
+awhalley@ (Security TPM) for M71 merge review.

Pls note M71 is very close to stable promotion so we can take this merge in only if it is fully safe and critical. Thank you.

Comment 9 Deleted

This can wait until M72. Thanks!
Status: WontFix (was: Assigned)
Closing then.
Labels: -Merge-Review-71 Merge-Rejected-71

Sign in to add a comment