Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cert pinning is not enforced on Desktop #24451

Closed
fmarier opened this issue Aug 4, 2022 · 5 comments · Fixed by brave/brave-core#14478
Closed

Cert pinning is not enforced on Desktop #24451

fmarier opened this issue Aug 4, 2022 · 5 comments · Fixed by brave/brave-core#14478
Assignees
@fmarier
Labels
certpinning OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes regression release-notes/include security
Milestone
1.43.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Aug 4, 2022

Upstream recently changed how pinning is gated and when we merged that change, we added a fixed timestamp of Wed 13 Apr 2022 05:00:00 PM PDT. That stopped working a few weeks later because at that point the list is considered stale after 10 weeks.

Test URL (in Brave's pinning list): https://ssl-pinning.someblog.org/
@fmarier fmarier added security priority/P2 A bad problem. We might uplift this to the next planned release. OS/Desktop certpinning labels Aug 4, 2022
@fmarier fmarier self-assigned this Aug 4, 2022
fmarier added a commit to brave/brave-core that referenced this issue Aug 4, 2022
@fmarier
Bump timestamp to restore cert pinning (fixes brave/brave-browser#24451)
5f7a93a
@fmarier fmarier mentioned this issue Aug 4, 2022
Merged
25 tasks
@fmarier
Copy link
Member Author

fmarier commented Aug 4, 2022

I created a PR to do this manually, but the real fix is to automate updating this timestamp.

This was referenced Aug 5, 2022
Closed
Open
@fmarier
Copy link
Member Author

fmarier commented Aug 5, 2022

To prevent future regressions:

@rebron rebron added this to the 1.42.x - Release #2 milestone Aug 5, 2022
@LaurenWags
Copy link
Member

Requires 1.43.62 or above to test

@stephendonner
Copy link

Verified PASSED using

Brave 1.43.62 Chromium: 104.0.5112.81 (Official Build) beta (x86_64)
Revision 5b7b76419d50f583022568b6764b630f6ddc9208-refs/branch-heads/5112@{#1309}
OS macOS Version 11.6.8 (Build 20G730)

Steps:

  1. installed 1.43.62
  2. launched Brave
  3. loaded https://ssl-pinning.someblog.org/
  4. clicked on Advanced

Confirmed I got the certificate-pinning error message

Light Dark
Screen Shot 2022-08-08 at 6 11 05 PM Screen Shot 2022-08-08 at 6 11 18 PM

@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.43.63 Chromium: 104.0.5112.81 (Official Build) beta (64-bit)
-- | --
Revision | 5b7b76419d50f583022568b6764b630f6ddc9208-refs/branch-heads/5112@{#1309}
OS | Windows 11 Version 21H2 (Build 22000.795)
  • install 1.43.63
  • launch Brave
  • visit https://ssl-pinning.someblog.org/

Verified pinning error message shown as expected

dark light
image image

@LaurenWags LaurenWags mentioned this issue Aug 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
certpinning OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes regression release-notes/include security
Projects
None yet
Milestone
1.43.x - Release
Development

Successfully merging a pull request may close this issue.

Bump timestamp to restore cert pinning brave/brave-core
6 participants
@fmarier @stephendonner @rebron @LaurenWags @brave-builds @MadhaviSeelam