Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add (known|blocked)-interception.badssl.com tests #423

Merged
merged 1 commit into from
Dec 14, 2019

Conversation

christhompson
Copy link
Collaborator

In Chrome, we are adding two new variations of CRLSets for when we want to block or alert on certificates or roots that are known to be used for network interception and monitoring (the new CRLSet types and errors were added in https://crrev.com/c/1904545).

To help with manual testing, this PR adds two new subdomains that will serve new (trusted) certificates with new keys for each:

  • blocked-interception.badssl.com (Chrome would show a new interstitial)
  • known-interception.badssl.com (Chrome would show a new passive warning)

After these certificates are issued, my plan is to add them to the new CRLSets lists (in Chrome source and in the component). Non-Chrome browsers won't pick up these new CRLSets by default.

I wanted to file the initial version of this PR to solicit reviews from before ordering the certificates (once we have the certs I'll add the chains to this PR). @lgarron what do you think?

@lgarron
Copy link
Collaborator

lgarron commented Nov 29, 2019

How does this relate to https://captive-portal.badssl.com/ and https://mitm-software.badssl.com/ ? I've noticed the latter is not working for a while.

Copy link
Collaborator

@lgarron lgarron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me overall!

@meacer
Copy link

meacer commented Dec 2, 2019

Hi Lucas!

This is different than captive-portal and mitm-software interstitials in that it uses CRLSets rather than the component updater. You can find the details in crbug.com/1014704 and crbug.com/1014711

Do we need to do a push to get the new subdomain live, or are the changes automatically picked up? I'd like to use it for testing sometime soon :)

@lgarron
Copy link
Collaborator

lgarron commented Dec 3, 2019

We do need a push, although I'd love to set up an automated deployment!

If we're comfortable giving GitHub Actions deployment access, it should be pretty easy!

(Last I knew, though, our Google Cloud project had IP restrictions. I'm actually not on the project right now, so I can't check.)

@christhompson christhompson merged commit a779188 into master Dec 14, 2019
@christhompson
Copy link
Collaborator Author

Sorry for going OOO after uploading this :-)

I'll request the new certs for these and then push the new update.

(I've also wished for automated deployments, but haven't had time to prioritize working on it. The main blocker IIRC was making sure the right keys/certs get inserted into the build so they don't have to rely on existing server state.)

@christhompson
Copy link
Collaborator Author

These are now live:

PR #425 adds the cert chains.

https://crrev.com/c/1968635 will add these to the local blocklist in Chrome after which they will trigger the new UIs.

april added a commit to april/badssl.com that referenced this pull request Jan 16, 2020
* 'master' of https://github.com/chromium/badssl.com: (175 commits)
  Add (known|blocked)-interception.badssl.com tests (chromium#423)
  Update `10000-sans`. (chromium#420)
  Rename subdomain-no-sct.crt to subdomain-no-sct.pem
  Add missing common in sets.js
  Mark DHE as bad or dubious (chromium#398)
  Add `no-sct.badssl.com`. Addresses chromium#275. (chromium#409)
  Update chain for `subdomain-1000-sans.pem`. Closes chromium#383. (chromium#408)
  Update `subdomain-revoked.pem`. Addresses chromium#404. (chromium#410)
  Add page with 🔒 in title (chromium#388)
  Explicitly send the self-signed root for untrusted-root (chromium#397)
  [web-payment] Print API return values and exceptions in the footer. (chromium#392)
  Tweak formatting for client cert passwords (chromium#385)
  Add descriptions to the dashboard sections. (chromium#371)
  Remove hyphens from dh domain pages. Fixes chromium#379 (chromium#380)
  Add incomplete chain description in footer. (chromium#366)
  Fix redirect port for `tls-v1-2`. (chromium#362)
  Export environment variables in the Makefile (chromium#355)
  Flip cert chain order for wildcard-rsa4096.pem (chromium#353)
  Add EV certificate (chromium#352)
  Update subdomain-extended-validation.conf
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants