enable certificate revocation

[diracdeltas]

https://revoked.badssl.com should show up as revoked on all platforms. this is the same issue as brave/browser-laptop#12510 but for brave-browser.

the underlying problem is that we don't use chrome's crlsets

[jumde]

Looks like this is fixed. On opening revoked.badssl.com with Brave | 0.53.3 Chromium: 69.0.3497.12 (Official Build) dev (64-bit). I can see the certificate error.

[jumde]

Spoke too soon:

On Windows: Brave 0.54.0 Chromium: 69.0.3497.32 (Official Build) dev (64-bit)

Same on Linux:

[bridiver]

@diracdeltas is this just the timeout for security features like HSTS?

[bridiver]

I'm pretty sure that's the issue because I just tried it on a local build and it worked fine

[diracdeltas]

No, it's the issue of CRLsets in Brave which are not enabled by default for embedders.

[diracdeltas]

@bridiver the test case works on high sierra; AFAIK it doesn't work on linux and windows

[bridiver]

I'll look, but I haven't found anything in the code that is different for google chrome builds

[diracdeltas]

@bridiver let me forward you an email thread from google security

[diracdeltas]

this is also a problem on MacOS - the test case might not work though depending on your system TLS settings

[srirambv]

Verification passed on

Brave	0.64.60 Chromium: 74.0.3729.91 (Official Build) beta(64-bit)
Revision	03844ed83e02b8add3f4b9cb859a7108d55b2e4d-refs/branch-heads/3729@{#860}
OS	Linux

• Verified test plan from Issue 518: Enabling CRLSets brave-core#652
• Verified Cert error message is shown on visiting the page
• Verified going into Advance info doesn't allow you to load the page

Verified passed with

Brave	0.64.72 Chromium: 74.0.3729.131 (Official Build) beta(64-bit)
Revision	518a41c1fa7ce1c8bb5e22346e82e42b4d76a96f-refs/branch-heads/3729@{#954}
OS	Mac OS X

• After navigating to https://revoked.badssl.com, verified that the 'Your connection is not private' message/warning is displayed and that clicking on 'Advanced' does not allow you to navigate to the site.
• Also after discussing with PJ, verified that when navigating to brave://components, CRLSets version is non-zero (macOS uses system CRLSets).
  

Verification passed on

Brave	0.64.72 Chromium: 74.0.3729.131 (Official Build) beta (64-bit)
Revision	518a41c1fa7ce1c8bb5e22346e82e42b4d76a96f-refs/branch-heads/3729@{#954}
OS	Windows 10 OS Build 17134.523

• Verified test plan from Issue 518: Enabling CRLSets brave-core#652
• Verified Cert error message is shown on visiting the page
• Verified going into Advance info doesn't allow you to load the page

[PoorPocketsMcNewHold]

This seems to doesn’t be the case anymore. I can access both of this website, and the grc revocation test.


Version 0.71.106 Chromium: 78.0.3904.70 (Official Build) beta (64 bits).

[jumde]

Thanks for the report @PoorPocketsMcNewHold.

1. Which OS are you using?
2. Are you able to reproduce this with a clean profile?
3. Can you navigate to brave://components, manually update crlsets and check if that works for you?

With a clean profile on 0.71.106 Chromium: 78.0.3904.70 (Official Build) beta (64-bit) :

I see that revoked.badssl.com gives the correct error:

and I see the same error page for revoked.grc.com:

[brokoler]

Please reopen this issue.
Cert revocation checks are not working with Windows build.

Websites tested:
https://www.grc.com/revocation.htm
https://revoked.badssl.com

All websites are opened, instead Brave should warn based on CRLsets that these are revoked.