Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security][Android] SSL Pinning doesn't work #24453

Closed
stoletheminerals opened this issue Aug 5, 2022 · 4 comments · Fixed by brave/brave-core#23550
Closed

[Security][Android] SSL Pinning doesn't work #24453

stoletheminerals opened this issue Aug 5, 2022 · 4 comments · Fixed by brave/brave-core#23550
Assignees
@samartnik
Labels
certpinning OS/Android Fixes related to Android browser functionality QA Pass - Android ARM QA/Yes release-notes/include security
Milestone
1.68.x - Release

Comments

@stoletheminerals
Copy link

Description

SSL Pinning doesn't work for the domains listed in https://github.com/brave/brave-core/blob/master/chromium_src/net/tools/transport_security_state_generator/input_file_parsers.cc

Steps to reproduce

  1. Navigate to https://ssl-pinning.someblog.org/

Actual result

Webpage loads without an SSL error
image

Expected result

Webpage fails to load with an SSL error

Issue reproduces how often

Version/Channel Information:

  • Can you reproduce this issue with the current Play Store version?
  • Can you reproduce this issue with the current Play Store Beta version?
  • Can you reproduce this issue with the current Play Store Nightly version?

Device details

  • Install type (ARM, x86):
  • Device type (Phone, Tablet, Phablet):
  • Android version:

Brave version

Website problems only

  • Does the issue resolve itself when disabling Brave Shields?
  • Does the issue resolve itself when disabling Brave Rewards?
  • Is the issue reproducible on the latest version of Chrome?

Additional information
@stoletheminerals stoletheminerals added the OS/Android Fixes related to Android browser functionality label Aug 5, 2022
@fmarier fmarier added certpinning Chromium/waiting upstream Issue is in Chromium; we'll likely wait for the fix labels Aug 5, 2022
@fmarier
Copy link
Member

fmarier commented Aug 5, 2022

Upstream appears to be preparing to roll this out to Android: https://chromium.googlesource.com/chromium/src/+/f12eac9342eb88971851d46e31c97af8c2c27%5E%21/

@fmarier
Copy link
Member

fmarier commented May 6, 2024

This is now working in Brave for Android and so we should enable too.

This was done on desktop in brave/brave-core#8750.

@fmarier fmarier removed the Chromium/waiting upstream Issue is in Chromium; we'll likely wait for the fix label May 6, 2024
This was referenced May 6, 2024
Closed
Closed
@fmarier
Copy link
Member

fmarier commented May 6, 2024

It's probably just a matter of removing the check for Android here: https://github.com/brave/brave-core/blob/44a98b1a20d935db5eab9899361871740695d29b/chromium_src/net/http/transport_security_state.cc#L17-L25

and then testing it like this:

  1. Going through the test plan at Update pinned roots brave-core#22540
  2. Opening https://pinning-test.badssl.com/ and confirming that there's no TLS error and that the red page loads fine:
    Screenshot from 2024-05-06 10-58-24

@deeppandya deeppandya assigned deeppandya and samartnik and unassigned deeppandya May 8, 2024
@samartnik samartnik mentioned this issue May 9, 2024
Merged
24 tasks
@brave-builds brave-builds added this to the 1.68.x - Nightly milestone May 13, 2024
@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jul 10, 2024
@hffvld
Copy link
Contributor

hffvld commented Jul 11, 2024

Verified on Pixel 7 using version(s):

Device/OS: Pixel 7 / panther_beta-user 15 AP31.240517.031 release-keys
Brave build: 1.68.115
Chromium: 127.0.6533.26 (Official Build) beta (64-bit)

STEPS:

  1. Follow the STR/TP from [Security][Android] SSL Pinning doesn't work  #24453 (comment) and [Security][Android] SSL Pinning doesn't work  #24453 (comment)
  2. Verify

ACTUAL RESULTS:

1 2
1 2

@hffvld hffvld added QA Pass - Android ARM and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jul 11, 2024
@hffvld hffvld mentioned this issue Jul 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@samartnik samartnik

Labels
certpinning OS/Android Fixes related to Android browser functionality QA Pass - Android ARM QA/Yes release-notes/include security
Projects
None yet
Milestone
1.68.x - Release
Development

Successfully merging a pull request may close this issue.

[Android] Enabled SSL pinning for Android brave/brave-core
7 participants
@fmarier @diracdeltas @deeppandya @stoletheminerals @samartnik @brave-builds @hffvld