-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add (known|blocked)-interception.badssl.com tests #423
Conversation
How does this relate to https://captive-portal.badssl.com/ and https://mitm-software.badssl.com/ ? I've noticed the latter is not working for a while. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me overall!
Hi Lucas! This is different than captive-portal and mitm-software interstitials in that it uses CRLSets rather than the component updater. You can find the details in crbug.com/1014704 and crbug.com/1014711 Do we need to do a push to get the new subdomain live, or are the changes automatically picked up? I'd like to use it for testing sometime soon :) |
We do need a push, although I'd love to set up an automated deployment! If we're comfortable giving GitHub Actions deployment access, it should be pretty easy! (Last I knew, though, our Google Cloud project had IP restrictions. I'm actually not on the project right now, so I can't check.) |
Sorry for going OOO after uploading this :-) I'll request the new certs for these and then push the new update. (I've also wished for automated deployments, but haven't had time to prioritize working on it. The main blocker IIRC was making sure the right keys/certs get inserted into the build so they don't have to rely on existing server state.) |
These are now live: PR #425 adds the cert chains. https://crrev.com/c/1968635 will add these to the local blocklist in Chrome after which they will trigger the new UIs. |
* 'master' of https://github.com/chromium/badssl.com: (175 commits) Add (known|blocked)-interception.badssl.com tests (chromium#423) Update `10000-sans`. (chromium#420) Rename subdomain-no-sct.crt to subdomain-no-sct.pem Add missing common in sets.js Mark DHE as bad or dubious (chromium#398) Add `no-sct.badssl.com`. Addresses chromium#275. (chromium#409) Update chain for `subdomain-1000-sans.pem`. Closes chromium#383. (chromium#408) Update `subdomain-revoked.pem`. Addresses chromium#404. (chromium#410) Add page with 🔒 in title (chromium#388) Explicitly send the self-signed root for untrusted-root (chromium#397) [web-payment] Print API return values and exceptions in the footer. (chromium#392) Tweak formatting for client cert passwords (chromium#385) Add descriptions to the dashboard sections. (chromium#371) Remove hyphens from dh domain pages. Fixes chromium#379 (chromium#380) Add incomplete chain description in footer. (chromium#366) Fix redirect port for `tls-v1-2`. (chromium#362) Export environment variables in the Makefile (chromium#355) Flip cert chain order for wildcard-rsa4096.pem (chromium#353) Add EV certificate (chromium#352) Update subdomain-extended-validation.conf ...
In Chrome, we are adding two new variations of CRLSets for when we want to block or alert on certificates or roots that are known to be used for network interception and monitoring (the new CRLSet types and errors were added in https://crrev.com/c/1904545).
To help with manual testing, this PR adds two new subdomains that will serve new (trusted) certificates with new keys for each:
After these certificates are issued, my plan is to add them to the new CRLSets lists (in Chrome source and in the component). Non-Chrome browsers won't pick up these new CRLSets by default.
I wanted to file the initial version of this PR to solicit reviews from before ordering the certificates (once we have the certs I'll add the chains to this PR). @lgarron what do you think?