[Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert <mgilbert at debian.org> (Re: Bug#745646: chromium: certificate revocation is not checked)

Vincent Lefevre vincent at vinc17.net
Tue Apr 29 01:09:19 UTC 2014 

Control: reopen -1

On 2014-04-26 23:33:54 -0400, Michael Gilbert wrote:
> I haven't examined this in detail, but consider that Google probably
> doesn't want all chrome users hitting their servers at the same time.

After various tests, it doesn't seem to be the case (see below).
Note also that I haven't modified any of its conffiles.

To reproduce:

1. Move the .config/chromium away.
2. Start chromium.
3. Open chrome://components/
   On my machine, it always says for CRLSet at this time:
     CRLSet - Version: 0
   I can reload several times (to see whether there was an
   *automatic* update), and it's still the same.
4. Open https://www.cloudflarechallenge.com/ in a new tab.
   On my machine, the page is opened with no errors/warnings,
   even though the certificate has been revoked.
   I can force a reload with Ctrl-Shift-R, and the page is
   still reloaded with no errors/warnings.
5. Reload chrome://components/ -> it still gives:
     CRLSet - Version: 0
6. Click on "Check for update" for CRLSet.
   On my machine, this button gets greyed out. Two things can happen:

A. The CRLSet is downloaded. Most of the time, this is the case.
   I can see the request with wireshark (but *not* before this manual
   check for update), and if I reload the page, I get (currently):
     CRLSet - Version: 1606

   I can reload the cloudflarechallenge page with Ctrl-Shift-R, but
   I don't always get a failure (perhaps because chromium doesn't
   necessarily assume that the certificate has been revoked in the
   mean time?). Anyway, if I quit chromium, restart it, reopen the
   cloudflarechallenge page, and force a reload with Ctrl-Shift-R,
   I get a failure due to the revoked certificate ("The certificate
   that Chrome received during this connection attempt has been
   revoked.") as expected.

B. The following happened only once:
   Reloading https://www.cloudflarechallenge.com/ still shows:
     CRLSet - Version: 0
   and doing several other checks for update lead to the same
   problem. In wireshark, I couldn't see any request for the
   CRLSet.
   Note: no "Certificate Revocation Lists" file was stored in
   .config/chromium (it normally gets created when an update
   succeeds).
   Just after this test, I retried after restarting chromium, and
   the CRLSet could be downloaded with my first check for update
   (then, see case A above).

The conclusion from these tests:
  * The CRLSet doesn't seem to be updated automatically (and there
    are no requests according to wireshark results).
  * Even a manual check for update doesn't necessarily work, but
    since according to wireshark results, there are no requests,
    it seems to be an internal problem. And I got no error
    messages.
  * In particular, the CRLSet should be downloaded automatically
    after the first chromium run (empty config) or before the first
    https connection, but this is not done (no requests).
  * When there was a request, it always succeeded, so that it seems
    that Google doesn't deny access, or it should be very uncommon
    (this would also be very strange, given the fact that Google
    receives much more requests for its search engine, Google Maps
    and so on).

So, something appears to be broken in Chromium.

Note also that a typical usage where checking for certificate
revocation is really necessary is when the user connects from a
public wifi hotspot to some site such as his bank (or generally
any site where a password is to be transmitted) for which the
private key of the old certificate has been retrieved due to
the Heartbleed bug (or for some other reason, e.g. due to past
compromission of the server). The user doesn't know anything
about the hotspot, and it might be owned by a malicious person.
This person, in addition to using the old (now revoked) certificate,
can control anything, in particular can block the request to the
CRLSet. So, any failure related to the CRLSet update should be
reported to the user in some way. The user mustn't be lead to
think that the connection is safe and to the right site just
because some error hasn't been reported.

BTW, on another machine:

ypig:~> ll .config/chromium
-rw-r--r-- 1 vlefevre vlefevre  222916 2012-07-12 13:33:07 Certificate\ Revocation\ Lists
-rw------- 1 vlefevre vlefevre      27 2013-10-31 14:49:16 Channels
drwx------ 2 vlefevre vlefevre    4096 2014-02-28 12:42:46 Crash\ Reports/
drwx------ 9 vlefevre vlefevre    4096 2014-04-08 13:52:37 Default/
[...]
-rw-r--r-- 1 vlefevre vlefevre       4 2014-04-08 13:52:38 chrome_shutdown_ms.txt
[...]

So, even though I last used chromium on 2014-04-08, the CRLSet
was last downloaded on 2012-07-12. That's very old!

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Pkg-chromium-maint mailing list