[Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert <mgilbert at debian.org> (Re: Bug#745646: chromium: certificate revocation is not checked)
Vincent Lefevre
vincent at vinc17.net
Tue Apr 29 01:09:19 UTC 2014
Control: reopen -1
On 2014-04-26 23:33:54 -0400, Michael Gilbert wrote:
> I haven't examined this in detail, but consider that Google probably
> doesn't want all chrome users hitting their servers at the same time.
After various tests, it doesn't seem to be the case (see below).
Note also that I haven't modified any of its conffiles.
To reproduce:
1. Move the .config/chromium away.
2. Start chromium.
3. Open chrome://components/
On my machine, it always says for CRLSet at this time:
CRLSet - Version: 0
I can reload several times (to see whether there was an
*automatic* update), and it's still the same.
4. Open https://www.cloudflarechallenge.com/ in a new tab.
On my machine, the page is opened with no errors/warnings,
even though the certificate has been revoked.
I can force a reload with Ctrl-Shift-R, and the page is
still reloaded with no errors/warnings.
5. Reload chrome://components/ -> it still gives:
CRLSet - Version: 0
6. Click on "Check for update" for CRLSet.
On my machine, this button gets greyed out. Two things can happen:
A. The CRLSet is downloaded. Most of the time, this is the case.
I can see the request with wireshark (but *not* before this manual
check for update), and if I reload the page, I get (currently):
CRLSet - Version: 1606
I can reload the cloudflarechallenge page with Ctrl-Shift-R, but
I don't always get a failure (perhaps because chromium doesn't
necessarily assume that the certificate has been revoked in the
mean time?). Anyway, if I quit chromium, restart it, reopen the
cloudflarechallenge page, and force a reload with Ctrl-Shift-R,
I get a failure due to the revoked certificate ("The certificate
that Chrome received during this connection attempt has been
revoked.") as expected.
B. The following happened only once:
Reloading https://www.cloudflarechallenge.com/ still shows:
CRLSet - Version: 0
and doing several other checks for update lead to the same
problem. In wireshark, I couldn't see any request for the
CRLSet.
Note: no "Certificate Revocation Lists" file was stored in
.config/chromium (it normally gets created when an update
succeeds).
Just after this test, I retried after restarting chromium, and
the CRLSet could be downloaded with my first check for update
(then, see case A above).
The conclusion from these tests:
* The CRLSet doesn't seem to be updated automatically (and there
are no requests according to wireshark results).
* Even a manual check for update doesn't necessarily work, but
since according to wireshark results, there are no requests,
it seems to be an internal problem. And I got no error
messages.
* In particular, the CRLSet should be downloaded automatically
after the first chromium run (empty config) or before the first
https connection, but this is not done (no requests).
* When there was a request, it always succeeded, so that it seems
that Google doesn't deny access, or it should be very uncommon
(this would also be very strange, given the fact that Google
receives much more requests for its search engine, Google Maps
and so on).
So, something appears to be broken in Chromium.
Note also that a typical usage where checking for certificate
revocation is really necessary is when the user connects from a
public wifi hotspot to some site such as his bank (or generally
any site where a password is to be transmitted) for which the
private key of the old certificate has been retrieved due to
the Heartbleed bug (or for some other reason, e.g. due to past
compromission of the server). The user doesn't know anything
about the hotspot, and it might be owned by a malicious person.
This person, in addition to using the old (now revoked) certificate,
can control anything, in particular can block the request to the
CRLSet. So, any failure related to the CRLSet update should be
reported to the user in some way. The user mustn't be lead to
think that the connection is safe and to the right site just
because some error hasn't been reported.
BTW, on another machine:
ypig:~> ll .config/chromium
-rw-r--r-- 1 vlefevre vlefevre 222916 2012-07-12 13:33:07 Certificate\ Revocation\ Lists
-rw------- 1 vlefevre vlefevre 27 2013-10-31 14:49:16 Channels
drwx------ 2 vlefevre vlefevre 4096 2014-02-28 12:42:46 Crash\ Reports/
drwx------ 9 vlefevre vlefevre 4096 2014-04-08 13:52:37 Default/
[...]
-rw-r--r-- 1 vlefevre vlefevre 4 2014-04-08 13:52:38 chrome_shutdown_ms.txt
[...]
So, even though I last used chromium on 2014-04-08, the CRLSet
was last downloaded on 2012-07-12. That's very old!
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Pkg-chromium-maint
mailing list