Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS pins are not working #15667

Closed
fmarier opened this issue May 7, 2021 · 5 comments · Fixed by brave/brave-core#8750
Closed

TLS pins are not working #15667

fmarier opened this issue May 7, 2021 · 5 comments · Fixed by brave/brave-core#8750
Assignees
@fmarier
Labels
certpinning OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Milestone
1.27.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented May 7, 2021

Preloaded TLS pins are not working in Brave. For example https://pinning-test.badssl.com/ loads just fine instead of being blocked with a TLS error.

That's due to the fact that non-Chrome builds have pinning disabled: https://source.chromium.org/chromium/chromium/src/+/master:net/http/transport_security_state.cc;l=760-763;drc=735b94b59fae0115fc1b9fa736fea465e18f6bfb

While we don't want to enforce pin the pins that ship with Chromium, we do want to enforce pins on the Brave domains.
@fmarier fmarier added priority/P2 A bad problem. We might uplift this to the next planned release. OS/Android Fixes related to Android browser functionality OS/Desktop certpinning labels May 7, 2021
@fmarier fmarier self-assigned this May 7, 2021
fmarier added a commit to brave/brave-core that referenced this issue May 8, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
ba88feb 
…ave/brave-browser#15667)
@fmarier fmarier mentioned this issue May 8, 2021
Merged
25 tasks
@fmarier fmarier added QA/Yes release-notes/include and removed OS/Android Fixes related to Android browser functionality labels May 8, 2021
fmarier added a commit to brave/brave-core that referenced this issue May 11, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
80fdcb9 
…ave/brave-browser#15667)
fmarier added a commit to brave/brave-core that referenced this issue May 13, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
ba6a0bc 
…ave/brave-browser#15667)
fmarier added a commit to brave/brave-core that referenced this issue May 15, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
1089bb0 
…ave/brave-browser#15667)
fmarier added a commit to brave/brave-core that referenced this issue May 20, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
137643a 
…ave/brave-browser#15667)
fmarier added a commit to brave/brave-core that referenced this issue May 20, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
56b35a7 
…ave/brave-browser#15667)
fmarier added a commit to brave/brave-core that referenced this issue May 22, 2021
@fmarier
Enable static pins so we can use them for Brave properties. (fixes br…
4af1c2c 
…ave/brave-browser#15667)
@fmarier fmarier added this to the 1.27.x - Nightly milestone May 28, 2021
@fmarier fmarier mentioned this issue May 28, 2021
Closed
@stephendonner
Copy link

stephendonner commented Jun 1, 2021
edited by kjozwiak
Loading

Verified PASSED using the testplan in brave/brave-core#8750 with build

Brave 1.27.33 Chromium: 91.0.4472.77 (Official Build) nightly (x86_64)
Revision 1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{#1246}
OS macOS Version 11.4 (Build 20F71)

Steps:

  1. Opened https://pinning-test.badssl.com/ and confirmed that the page was blocked with a non-bypassable TLS error.
  2. Opened a new-tab page and scroll down into the Brave Today section.
  3. Confirmed that Brave Today images are loading.
  4. Opened https://creators.brave.com/ and confirmed that the page loaded.
  5. Opened https://ads-serve.brave.com/ and confirmed that the page loaded without a TLS error.
https://pinning-test.badssl.com Brave Today https://creators.brave.com https://ads-serve.brave.com
Screen Shot 2021-06-01 at 1 52 26 PM Screen Shot 2021-06-01 at 1 52 50 PM Screen Shot 2021-06-01 at 1 53 06 PM Screen Shot 2021-06-01 at 1 53 16 PM

Verification passed on

Brave | 1.27.89 Chromium: 91.0.4472.124 (Official Build) beta (64-bit)
-- | --
Revision | 7345a6d1bfcaff81162a957e9b7d52649fe2ac38-refs/branch-heads/4472_114@{#6}
OS | Windows 10 OS Version 2004 (Build 19041.1052)
https://pinning-test.badssl.com Brave Today https://creators.brave.com https://ads-serve.brave.com
image image image image

Verification PASSED on PopOS 20.10 x64 using the following build:

Brave | 1.27.92 Chromium: 91.0.4472.124 (Official Build) dev (64-bit)
--- | ---
Revision | 7345a6d1bfcaff81162a957e9b7d52649fe2ac38-refs/branch-heads/4472_114@{#6}
OS | Linux

Verified the STR/Cases outlined via brave/brave-core#8750 (comment).

https://pinning-test.badssl.com Brave Today https://creators.brave.com https://ads-serve.brave.com
linux1 linux2 linux3 linux4

@GeetaSarvadnya
Copy link

@fmarier https://pinning-test.badssl.com/ fails in Brave beta (1.27.x). It works fine in Chrome. I have reset the IP (using netsh int ip reset and netsh winsock reset) and tried again but no luck.
image
image

@fmarier
Copy link
Member Author

fmarier commented Jul 2, 2021

I've tested Beta 1.27.87 on Linux and Windows and I get the same error page as on Chrome in both cases. Do you see the same certificate as me on your machine?
Screenshot from 2021-07-02 12-57-41

@GeetaSarvadnya
Copy link

@fmarier Thanks for checking in your machine. I have verified the certificate and found that issued by was showing as AVG, AVG has got installed unknowingly in my machine, which was causing this problem. I just uninstalled and tried again it worked fine. Thanks!

image

After uninstalling AVG:
image

@LaurenWags LaurenWags mentioned this issue Jul 22, 2021
Closed
@kjozwiak
Copy link
Member

Went through several cases on Win to ensure that pinning fails when a MITM certificate is detected as per brave/qa-resources#295 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
certpinning OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Projects
None yet
Milestone
1.27.x - Release
Development

Successfully merging a pull request may close this issue.

Fix TLS pins and update list of pinned roots brave/brave-core
4 participants
@fmarier @stephendonner @kjozwiak @GeetaSarvadnya