View Issue Details

IDProjectCategoryView StatusLast Update
0005129Talerotherpublic2023-04-04 17:54
ReporterFlorian Dold Assigned To 
PrioritynoneSeveritytextReproducibilityhave not tried
Status confirmedResolutionopen 
Target Versionpost-1.0 
Summary0005129: suggest to the appropriate standard(s) to add certificate information to XMLHttpRequest
DescriptionUsing this, we could check that/if the TLS cert contains the merchant public key.
TagsNo tags attached.

Relationships

related to 0004629 acknowledged certificates for merchant public keys aren't supported 

Activities

Christian Grothoff

2017-10-15 17:41

manager   ~0012481

While *I* understand this report, we should expand this bug report so that we can point others who work on standardization to it and ask for their help. In particular, we should expand the justification and what is required, and include links to previous requests along the same line in the respective fora (I remember there was some previous discussion on some Chome/Chromium bug tracker on this?).

Christian Grothoff

2017-10-31 09:10

manager   ~0012529

Google is removing support for HPKP:
https://www.heise.de/security/meldung/HTTPS-Verschluesselung-Google-verabschiedet-sich-vom-Pinning-3876078.html

This may be an opportunity to ask for an API to X.509 so that *plugins* can implement HPKP for users that want to have it. Given that tg wrote such a plugin in the past, he might be perfect to ask for it...

Christian Grothoff

2017-10-31 09:10

manager   ~0012530

tg, do you think you could help?

tg

2017-11-03 19:02

reporter   ~0012542

chrome/webextensions do not provide any APIs to access certificate information,
there's already an issue open about this for years and it's unlikely it's going to get implemented any time soon:
https://bugs.chromium.org/p/chromium/issues/detail?id=107793

article in English about the HPKP issue:
http://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/

tg

2017-11-03 19:19

reporter   ~0012543

Last edited: 2017-11-03 19:19

Firefox is also deprecating their old plugin APIs
which allowed access to certificate information.
With the new webext APIs I'm not aware of any way to access this information..

For pinning, an idea I had would be to use webRequest.onHeadersReceived()
upon the first time a website is ever visited,
call a local program to fetch the pubkey to be pinned,
then inject a HPKP header with the pubkey
and a reporting URL pointing to an extension url if possible, or otherwise a local webserver,
which would allow showing a notification and remove previous pins
- https://developer.chrome.com/extensions/webRequest
- https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onHeadersReceived

But then of course this won't work if they're removing HPKP support.

Regarding the original issue, can't you just add a signature to the body of the response and check that?

Christian Grothoff

2017-11-03 20:24

manager   ~0012544

tg, I'm aware of all that (not your work-arounds, they won't work for us as far as I can tell).
My idea was that you could argue that to revive something like CertificatePatrol, it would be good/important to have such an API (again). You may be able to contact your plugin's user base for support, and or at least be vocal about it in the Chrome/Chromium bug tracker.

Florian Dold

2018-06-28 14:39

manager   ~0013105

Mozilla recently added an API to do exactly this: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1322748

It looks like it's being implemented in Chrome as well: https://chromium-review.googlesource.com/c/chromium/src/+/644858

Christian Grothoff

2022-07-30 23:30

manager   ~0018975

Some docs:
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/getSecurityInfo
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/SecurityInfo
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/CertificateInfo

I also added a bit to the main page:
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest#Accessing_security_information

Christian Grothoff

2022-07-30 23:36

manager   ~0018976

Still pending in Chrome, latest I can find there:

https://bugs.chromium.org/p/chromium/issues/detail?id=628819

Issue History

Date Modified Username Field Change
2017-08-27 02:10 Florian Dold New Issue
2017-10-15 17:41 Christian Grothoff Note Added: 0012481
2017-10-15 17:41 Christian Grothoff Severity minor => text
2017-10-15 17:41 Christian Grothoff Assigned To => Florian Dold
2017-10-15 17:41 Christian Grothoff Status new => assigned
2017-10-31 09:10 Christian Grothoff Note Added: 0012529
2017-10-31 09:10 Christian Grothoff Note Added: 0012530
2017-11-03 19:02 tg Note Added: 0012542
2017-11-03 19:19 tg Note Added: 0012543
2017-11-03 19:19 tg Note Edited: 0012543
2017-11-03 20:24 Christian Grothoff Note Added: 0012544
2018-06-28 14:39 Florian Dold Note Added: 0013105
2020-10-11 21:19 Christian Grothoff Relationship added related to 0004629
2022-07-30 23:30 Christian Grothoff Note Added: 0018975
2022-07-30 23:36 Christian Grothoff Note Added: 0018976
2022-11-06 23:24 Christian Grothoff Assigned To Florian Dold =>
2022-11-06 23:24 Christian Grothoff Priority normal => none
2022-11-06 23:24 Christian Grothoff Status assigned => confirmed
2023-04-04 17:54 Florian Dold Target Version => post-1.0