View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005129||Taler||other||public||2017-08-27 02:10||2022-07-30 23:36|
|Reporter||Florian Dold||Assigned To||Florian Dold|
|Priority||normal||Severity||text||Reproducibility||have not tried|
|Summary||0005129: suggest to the appropriate standard(s) to add certificate information to XMLHttpRequest|
|Description||Using this, we could check that/if the TLS cert contains the merchant public key.|
|Tags||No tags attached.|
||While *I* understand this report, we should expand this bug report so that we can point others who work on standardization to it and ask for their help. In particular, we should expand the justification and what is required, and include links to previous requests along the same line in the respective fora (I remember there was some previous discussion on some Chome/Chromium bug tracker on this?).|
Google is removing support for HPKP:
This may be an opportunity to ask for an API to X.509 so that *plugins* can implement HPKP for users that want to have it. Given that tg wrote such a plugin in the past, he might be perfect to ask for it...
||tg, do you think you could help?|
chrome/webextensions do not provide any APIs to access certificate information,
there's already an issue open about this for years and it's unlikely it's going to get implemented any time soon:
article in English about the HPKP issue:
Firefox is also deprecating their old plugin APIs
which allowed access to certificate information.
With the new webext APIs I'm not aware of any way to access this information..
For pinning, an idea I had would be to use webRequest.onHeadersReceived()
upon the first time a website is ever visited,
call a local program to fetch the pubkey to be pinned,
then inject a HPKP header with the pubkey
and a reporting URL pointing to an extension url if possible, or otherwise a local webserver,
which would allow showing a notification and remove previous pins
But then of course this won't work if they're removing HPKP support.
Regarding the original issue, can't you just add a signature to the body of the response and check that?
tg, I'm aware of all that (not your work-arounds, they won't work for us as far as I can tell).
My idea was that you could argue that to revive something like CertificatePatrol, it would be good/important to have such an API (again). You may be able to contact your plugin's user base for support, and or at least be vocal about it in the Chrome/Chromium bug tracker.
Mozilla recently added an API to do exactly this: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1322748
It looks like it's being implemented in Chrome as well: https://chromium-review.googlesource.com/c/chromium/src/+/644858
I also added a bit to the main page:
Still pending in Chrome, latest I can find there:
|2017-08-27 02:10||Florian Dold||New Issue|
|2017-10-15 17:41||Christian Grothoff||Note Added: 0012481|
|2017-10-15 17:41||Christian Grothoff||Severity||minor => text|
|2017-10-15 17:41||Christian Grothoff||Assigned To||=> Florian Dold|
|2017-10-15 17:41||Christian Grothoff||Status||new => assigned|
|2017-10-31 09:10||Christian Grothoff||Note Added: 0012529|
|2017-10-31 09:10||Christian Grothoff||Note Added: 0012530|
|2017-11-03 19:02||tg||Note Added: 0012542|
|2017-11-03 19:19||tg||Note Added: 0012543|
|2017-11-03 19:19||tg||Note Edited: 0012543|
|2017-11-03 20:24||Christian Grothoff||Note Added: 0012544|
|2018-06-28 14:39||Florian Dold||Note Added: 0013105|
|2020-10-11 21:19||Christian Grothoff||Relationship added||related to 0004629|
|2022-07-30 23:30||Christian Grothoff||Note Added: 0018975|
|2022-07-30 23:36||Christian Grothoff||Note Added: 0018976|