Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable certificate revocation #518

Closed
diracdeltas opened this issue Jul 10, 2018 · 17 comments · Fixed by brave/brave-core#652, brave/brave-core#997 or brave/brave-core#1581
Closed

enable certificate revocation #518

diracdeltas opened this issue Jul 10, 2018 · 17 comments · Fixed by brave/brave-core#652, brave/brave-core#997 or brave/brave-core#1581

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Jul 10, 2018

https://revoked.badssl.com should show up as revoked on all platforms. this is the same issue as brave/browser-laptop#12510 but for brave-browser.

the underlying problem is that we don't use chrome's crlsets

@diracdeltas diracdeltas added this to the Releasable builds milestone Jul 10, 2018
@jumde
Copy link
Contributor

jumde commented Aug 16, 2018

Looks like this is fixed. On opening revoked.badssl.com with Brave | 0.53.3 Chromium: 69.0.3497.12 (Official Build) dev (64-bit). I can see the certificate error.

screen shot 2018-08-16 at 12 24 03 pm

@jumde
Copy link
Contributor

jumde commented Aug 16, 2018

Spoke too soon:

On Windows: Brave 0.54.0 Chromium: 69.0.3497.32 (Official Build) dev (64-bit)

screen shot 2018-08-16 at 1 12 20 pm

Same on Linux:
screen shot 2018-08-16 at 1 28 00 pm

@jumde jumde modified the milestones: Releasable builds 0.55.x, 1.0 Aug 16, 2018
@bridiver
Copy link
Contributor

@diracdeltas is this just the timeout for security features like HSTS?

@bridiver
Copy link
Contributor

I'm pretty sure that's the issue because I just tried it on a local build and it worked fine

@diracdeltas
Copy link
Member Author

No, it's the issue of CRLsets in Brave which are not enabled by default for embedders.

@diracdeltas diracdeltas reopened this Aug 20, 2018
@diracdeltas
Copy link
Member Author

@bridiver the test case works on high sierra; AFAIK it doesn't work on linux and windows

@bridiver
Copy link
Contributor

I'll look, but I haven't found anything in the code that is different for google chrome builds

@diracdeltas
Copy link
Member Author

@bridiver let me forward you an email thread from google security

@diracdeltas
Copy link
Member Author

this is also a problem on MacOS - the test case might not work though depending on your system TLS settings

@rebron rebron modified the milestone: 1.x Backlog Feb 7, 2019
@bsclifton bsclifton added this to the 0.64.x - Nightly milestone Mar 15, 2019
@srirambv
Copy link
Contributor

srirambv commented May 7, 2019

Verification passed on

Brave 0.64.60 Chromium: 74.0.3729.91 (Official Build) beta(64-bit)
Revision 03844ed83e02b8add3f4b9cb859a7108d55b2e4d-refs/branch-heads/3729@{#860}
OS Linux

Verified passed with

Brave 0.64.72 Chromium: 74.0.3729.131 (Official Build) beta(64-bit)
Revision 518a41c1fa7ce1c8bb5e22346e82e42b4d76a96f-refs/branch-heads/3729@{#954}
OS Mac OS X
  • After navigating to https://revoked.badssl.com, verified that the 'Your connection is not private' message/warning is displayed and that clicking on 'Advanced' does not allow you to navigate to the site.
  • Also after discussing with PJ, verified that when navigating to brave://components, CRLSets version is non-zero (macOS uses system CRLSets).
    Screen Shot 2019-05-07 at 4 43 58 PM

Verification passed on

Brave 0.64.72 Chromium: 74.0.3729.131 (Official Build) beta (64-bit)
Revision 518a41c1fa7ce1c8bb5e22346e82e42b4d76a96f-refs/branch-heads/3729@{#954}
OS Windows 10 OS Build 17134.523

@PoorPocketsMcNewHold
Copy link

PoorPocketsMcNewHold commented Nov 1, 2019

This seems to doesn’t be the case anymore. I can access both of this website, and the grc revocation test.
image
image
Version 0.71.106 Chromium: 78.0.3904.70 (Official Build) beta (64 bits).

@jumde
Copy link
Contributor

jumde commented Nov 1, 2019

Thanks for the report @PoorPocketsMcNewHold.

  1. Which OS are you using?
  2. Are you able to reproduce this with a clean profile?
  3. Can you navigate to brave://components, manually update crlsets and check if that works for you?

With a clean profile on 0.71.106 Chromium: 78.0.3904.70 (Official Build) beta (64-bit) :

I see that revoked.badssl.com gives the correct error:

Screen Shot 2019-11-01 at 9 43 18 AM

and I see the same error page for revoked.grc.com:

Screen Shot 2019-11-01 at 9 45 35 AM

@brokoler
Copy link

brokoler commented Sep 8, 2024

Please reopen this issue.
Cert revocation checks are not working with Windows build.

Websites tested:
https://www.grc.com/revocation.htm
https://revoked.badssl.com

All websites are opened, instead Brave should warn based on CRLsets that these are revoked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment