View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005129 | Taler | other | public | 2017-08-27 02:10 | 2024-08-12 09:58 |
| Reporter | Florian Dold | Assigned To | |||
| Priority | none | Severity | text | Reproducibility | have not tried |
| Status | confirmed | Resolution | open | ||
| Target Version | post-2.0 | ||||
| Summary | 0005129: suggest to the appropriate standard(s) to add certificate information to XMLHttpRequest | ||||
| Description | Using this, we could check that/if the TLS cert contains the merchant public key. | ||||
| Tags | No tags attached. | ||||
| related to | 0004629 | acknowledged | certificates for merchant public keys aren't supported |
|
|
While *I* understand this report, we should expand this bug report so that we can point others who work on standardization to it and ask for their help. In particular, we should expand the justification and what is required, and include links to previous requests along the same line in the respective fora (I remember there was some previous discussion on some Chome/Chromium bug tracker on this?). |
|
|
Google is removing support for HPKP: https://www.heise.de/security/meldung/HTTPS-Verschluesselung-Google-verabschiedet-sich-vom-Pinning-3876078.html This may be an opportunity to ask for an API to X.509 so that *plugins* can implement HPKP for users that want to have it. Given that tg wrote such a plugin in the past, he might be perfect to ask for it... |
|
|
tg, do you think you could help? |
|
|
chrome/webextensions do not provide any APIs to access certificate information, there's already an issue open about this for years and it's unlikely it's going to get implemented any time soon: https://bugs.chromium.org/p/chromium/issues/detail?id=107793 article in English about the HPKP issue: http://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/ |
|
|
Firefox is also deprecating their old plugin APIs which allowed access to certificate information. With the new webext APIs I'm not aware of any way to access this information.. For pinning, an idea I had would be to use webRequest.onHeadersReceived() upon the first time a website is ever visited, call a local program to fetch the pubkey to be pinned, then inject a HPKP header with the pubkey and a reporting URL pointing to an extension url if possible, or otherwise a local webserver, which would allow showing a notification and remove previous pins - https://developer.chrome.com/extensions/webRequest - https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onHeadersReceived But then of course this won't work if they're removing HPKP support. Regarding the original issue, can't you just add a signature to the body of the response and check that? |
|
|
tg, I'm aware of all that (not your work-arounds, they won't work for us as far as I can tell). My idea was that you could argue that to revive something like CertificatePatrol, it would be good/important to have such an API (again). You may be able to contact your plugin's user base for support, and or at least be vocal about it in the Chrome/Chromium bug tracker. |
|
|
Mozilla recently added an API to do exactly this: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1322748 It looks like it's being implemented in Chrome as well: https://chromium-review.googlesource.com/c/chromium/src/+/644858 |
|
|
Some docs: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/getSecurityInfo https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/SecurityInfo https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/CertificateInfo I also added a bit to the main page: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest#Accessing_security_information |
|
|
Still pending in Chrome, latest I can find there: https://bugs.chromium.org/p/chromium/issues/detail?id=628819 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-08-27 02:10 | Florian Dold | New Issue | |
| 2017-10-15 17:41 | Christian Grothoff | Note Added: 0012481 | |
| 2017-10-15 17:41 | Christian Grothoff | Severity | minor => text |
| 2017-10-15 17:41 | Christian Grothoff | Assigned To | => Florian Dold |
| 2017-10-15 17:41 | Christian Grothoff | Status | new => assigned |
| 2017-10-31 09:10 | Christian Grothoff | Note Added: 0012529 | |
| 2017-10-31 09:10 | Christian Grothoff | Note Added: 0012530 | |
| 2017-11-03 19:02 | tg | Note Added: 0012542 | |
| 2017-11-03 19:19 | tg | Note Added: 0012543 | |
| 2017-11-03 19:19 | tg | Note Edited: 0012543 | |
| 2017-11-03 20:24 | Christian Grothoff | Note Added: 0012544 | |
| 2018-06-28 14:39 | Florian Dold | Note Added: 0013105 | |
| 2020-10-11 21:19 | Christian Grothoff | Relationship added | related to 0004629 |
| 2022-07-30 23:30 | Christian Grothoff | Note Added: 0018975 | |
| 2022-07-30 23:36 | Christian Grothoff | Note Added: 0018976 | |
| 2022-11-06 23:24 | Christian Grothoff | Assigned To | Florian Dold => |
| 2022-11-06 23:24 | Christian Grothoff | Priority | normal => none |
| 2022-11-06 23:24 | Christian Grothoff | Status | assigned => confirmed |
| 2023-04-04 17:54 | Florian Dold | Target Version | => post-1.0 |
| 2024-08-12 09:58 | Christian Grothoff | Target Version | post-1.0 => post-2.0 |
