[Pkg-chromium-maint] Bug#777083: chromium displays broken lock for https://www.facebookcorewwwi.onion with bad rationale

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 4 20:56:19 UTC 2015 

Package: chromium
Version: 40.0.2214.91-1
Severity: normal
Affects: tor

Dear Maintainer,

Facebook operates a tor hidden service at https://www.facebookcorewwwi.onion/

i've got the tor package installed, and i ran:

  chromium --proxy-server=socks5://localhost:9050 https://www.facebookcorewwwi.onion/

However, i get a broken lock in the URL bar.

I'm attaching the certificate and a screenshot here.

The rationale for that broken lock icon is:

-----------
The Identity of this website has not been validated.

The identity of the server you are connected to cannot be fully
validated.  You are connected to a server using a name only valid within
your network, which an external certificate authority has no way to
validate ownership of.  As some certificate authorities will issue
certificates for these names regardless, there is no way to ensure you
are connected to the intended website and not an attacker.
-----------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: facebookcorewwwi.onion.chromium.png
Type: image/png
Size: 128835 bytes
Desc: screenshot of the error message
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150204/1597167a/attachment-0001.png>
-------------- next part --------------

However, .onion addresses are *not* "only valid within your network",
and the certificate in question (attached below) contains facebook's
.onion addresses (several of them) and is actually correctly certified
by Digicert, which chains back correctly to chromium's trusted roots.

In the source, this gets mapped back to NON_UNIQUE_NAME, which i believe
checks with the embedded copy of the public suffix list
(net/base/registry_controlled_domains/effective_tld_names.dat).

chromium should be willing to accept .onion addresses as legitimately
certified, even if they're not in the PSL.

Using firefox 35.0.1 in a similar fashion to visit the same URL does not
result in a degraded lock UI.

I'm separately trying to convince the PSL maintainers to include .onion
addresses:

 https://bugzilla.mozilla.org/show_bug.cgi?id=1129618

but even if they do not accept this recommendation, chromium shouldn't
show a deprecated UI when HTTPS is actually working to a .onion service.

In the meantime, please consider either adding .onion to chromium's
embedded copy of effective_tld_names.dat or (more narrowly) ensure that
.onion does not get flagged with a NON_UNIQUE_NAME UI deprecation.

           --dkg


PS i tried to submit this upstream at https://www.crbug.com/ as
recommended by /usr/share/bug/chromium/presubj, but it appears to
require a google account, which i don't have (or want).  Feel free to
forward this upstream if you think that's where it belongs.


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chromium depends on:
ii  libasound2           1.0.28-1
ii  libc6                2.19-13
ii  libcairo2            1.14.0-2.1
ii  libcap2              1:2.24-6
ii  libcups2             1.7.5-10
ii  libdbus-1-3          1.8.12-3
ii  libexpat1            2.1.0-6+b3
ii  libfontconfig1       2.11.0-6.3
ii  libfreetype6         2.5.2-2
ii  libgdk-pixbuf2.0-0   2.31.1-2+b1
ii  libglib2.0-0         2.42.1-1
ii  libgnome-keyring0    3.12.0-1+b1
ii  libgtk2.0-0          2.24.25-1
ii  libharfbuzz0b        0.9.35-2
ii  libjpeg62-turbo      1:1.3.1-11
ii  libnspr4             2:4.10.7-1
ii  libnspr4-0d          2:4.10.7-1
ii  libnss3              2:3.17.2-1.1
ii  libpango-1.0-0       1.36.8-3
ii  libpangocairo-1.0-0  1.36.8-3
ii  libpci3              1:3.2.1-3
ii  libspeechd2          0.8-7
ii  libspeex1            1.2~rc1.2-1
ii  libsrtp0             1.4.5~20130609~dfsg-1.1
ii  libstdc++6           4.9.1-19
ii  libudev1             215-10
ii  libx11-6             2:1.6.2-3
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1+b1
ii  libxdamage1          1:1.1.4-2+b1
ii  libxext6             2:1.3.3-1
ii  libxfixes3           1:5.0.1-2+b2
ii  libxi6               2:1.7.4-1+b2
ii  libxml2              2.9.1+dfsg1-4
ii  libxrandr2           2:1.4.2-1+b1
ii  libxrender1          1:0.9.8-1+b1
ii  libxslt1.1           1.1.28-2+b2
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1+b1
ii  x11-utils            7.7+2
ii  xdg-utils            1.1.0~rc1+git20111210-7.3

chromium recommends no packages.

Versions of packages chromium suggests:
ii  chromium-inspector  40.0.2214.91-1
pn  chromium-l10n       <none>

-- debconf-show failed

-------------- next part --------------
A non-text attachment was scrubbed...
Name: -.facebook.com
Type: application/x-x509-user-cert
Size: 2168 bytes
Desc: certificate for facebook including several .onion addresses
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150204/1597167a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150204/1597167a/attachment-0001.sig>

More information about the Pkg-chromium-maint mailing list