Browser-laptop: SHA1 signed certificates accepted with no warning
Web sites using the SHA-1 Signature hash algorithm are displayed in the browser without even a warning. (Brave 0.8.2). I believe Brave should block connections to such sites as Firefox already does, and Chrome, IE and Edge by Jan 01 2017.
- Chrome 49 shows a red cross on the padlock, and the "https" part of the URL is also red with red line through it. They will completely stop supporting SHA-1 by Jan 01 2017.
- Firefox has rejected such sites since version 43 (Jan 01 2016) bringing up a page saying "Your connection is not secure" and does not connect to the site (unless you add an exception). (Tested with 45.0.1)
- Microsoft Edge will "deprecate" them later this year and block them by Jan 01 2017. (Currently, version 25.10586.0.0 issues no warning and displays the page).
- Microsoft IE will presumably be aligned with the Edge timescales, if it is a pan-Microsoft decision (Currently, version 11.103.10586.0 issues no warning and displays the page).
- Opera - I can't find anything about their policy and don't have it installed.
- Vivaldi - I can't find anything about their policy and don't have it installed.
nicdoye
All 9 comments
I think we should display sha1 certs as non-secure. Right now there is no way to get cert info unless there's a certificate error but that is a todo for 1.0.
diracdeltas
on 24 Mar 2016
Would you need an extra prop to check in in SiteInfo.render(), other than isSecure and isMixedContent to set the icon to (some colour lock/unlock)?
Or would you set a certificate error (which I think happens via an electron ipc.send() call from the loadStart() event listener in Frame.addEventListners) and deal with it like that?
nicdoye
on 24 Mar 2016
We would modify our fork of electron to send the cert info via IPC when the tls connection is established.
diracdeltas
on 24 Mar 2016
Adding @bridiver for this.
bbondy
on 9 Jun 2016
cert information could be made available in the navigation-entry-commited event
bridiver
on 9 Jun 2016
it would be useful if electron could send the parsed x509 cert info in addition to the raw cert, so the browser doesn't have to re-parse it in JS. the only fields i can think of that the front-end needs to know about (for now) are whether there's a SHA1 signature in the chain and whether the end cert is Extended Validation. though if the user wants to inspect the cert, it's handy to show them both the raw cert and the parsed fields.
diracdeltas
on 9 Jun 2016
it is available from AtomSecurityStateModelClient and we could fire an event when it changes with SecurityStyleChanged
bridiver
on 9 Jun 2016
Setting 1.0 milestone based on the comment by @diracdeltas above.
luixxiul
on 14 Nov 2016
As of 0.12.9, Brave will show the insecure UX for sha1 certs that expire after 2017. Hooray!
Test Plan:
- go to https://sha1-2017.badssl.com/
- observe the insecure icon in the urlbar instead of the secure icon
diracdeltas
on 14 Nov 2016
Related issues
jonathansampson
路
3Comments
octohedron
路
3Comments
jkup
路
3Comments
eljuno
路
3Comments
bsclifton
路
3Comments
Most helpful comment
As of 0.12.9, Brave will show the insecure UX for sha1 certs that expire after 2017. Hooray!
Test Plan: