New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 918278 link

Starred by 1 user
Status: WontFix
Owner:
asymmetric@chromium.org
Closed: Jan 2
Cc:
rsleevi@chromium.org
awhalley@google.com
swarnasr...@chromium.orgm
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

incorrect display of a invalid certificate

Reported by slei.cas...@gmail.com, Dec 30 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce the problem:
1. 
visit https://epay.12306.cn/pay/payGateway
2. 
inspect certificate

What is the expected behavior?
it should display as a invalid certificate. You can see the second screenshot I uploaded.

What went wrong?
although the address bar say the certificate is invalid, if you inspect certificate, it says it's a valid certificate. 

Did this work before? N/A 

Chrome version: 71.0.3578.98  Channel: stable
OS Version: OS X 10.14.2
Flash Version:
WX20181230-171801@2x.png
130 KB View Download
WX20181230-171820@2x.png
203 KB View Download

Comment 1 by mpdenton@google.com, Dec 30

Cc: awhalley@google.com
Components: Internals>CertAnalysis
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: asymmetric@chromium.org
Looks like this is MacOS saying the certificate is valid, while Chrome is claiming the certificate is invalid due to Symantec distrust. This is not a security bug, and probably not something we will fix, but I'll add our symantec distrusters anyway.

Comment 2 by vamshi.kommuri@chromium.org, Dec 31

Labels: Needs-Triage-M71

Comment 3 by swarnasree.mukkala@chromium.org, Jan 2

Cc: swarnasree.mukkala@chromium.org
Labels: Needs-Feedback Triaged-ET
Able to reproduce the issue on the reported chrome version #71.0.3578.98 using Mac OS 10.14 by following steps as per comment#0. 
When tried testing the issue on chrome version #64.0.3240.0 observed that when navigated to above link mentioned in comment#0-"https://epay.12306.cn/pay/payGateway" it is showing a different UI and connection is secure.

Attached screenshots for reference.
@reporter: Could you please review attached screenshots and let us know if this can be considered as good behaviour or not so that it would be really helpful in further triaging of the issue.
Thanks>!
918278_1.png
222 KB View Download
918278_2.png
280 KB View Download

Comment 4 by awhalley@google.com, Jan 2

Cc: -swarnasree.mukkala@chromium.org swarnasr...@chromium.orgm rsleevi@chromium.org
Status: WontFix (was: Unconfirmed)
Thanks for the report. Firstly, as you're likely aware, the certificate is being distrusted because of https://g.co/chrome/symantecpkicerts and should be replaced immediately.

The mismatch you're seeing is because the certificate detail UI is being provided by macOS. Chrome's distrust of the legacy Symantec PKI is more strict than Apple's current trust policy (though they are moving to distrust soon, too), so while Chrome does not trust the cert, the macOS does.

I realise this is a bit confusing, but I'm afraid this isn't likely to be addressed, at least not while Chrome relies on macOS for the initial trust decision.

Sign in to add a comment