Bug 181679

Summary: [GTK] Styles not loaded from https://us.ivoox.com/es/
Product: WebKit Reporter: Andres Gomez Garcia <agomez>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, bugs-noreply, mcatanzaro, wilander
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=171609

Description Andres Gomez Garcia 2018-01-16 06:30:24 PST
MiniBrowser with WebKitGTK+ 2.18.5-1 from Debian buster

If you go to:
https://us.ivoox.com/es/

The page doesn't show the styles (unlike with other browsers).

I don't think this is a new bug, just decided to report it now.
Comment 1 Michael Catanzaro 2018-01-16 08:23:48 PST
Unacceptable TLS certificate for static-1.ivooxcdn.com. There is no chain of trust at all. Until we support using authority information access to complete certificate chains, blocking it is the right thing to do. I'm hoping to work on that soon.
Comment 2 Andres Gomez Garcia 2018-01-18 01:37:22 PST
(In reply to Michael Catanzaro from comment #1)
> Unacceptable TLS certificate for static-1.ivooxcdn.com. There is no chain of
> trust at all. Until we support using authority information access to
> complete certificate chains, blocking it is the right thing to do. I'm
> hoping to work on that soon.

Not sure about the resolution status and your explanation.

If you have to work on this for WKGTK+, is it, then, a bug or missing feature in WKGTK+ or an actual bug from ivoox?

If it is the latter, I would like to know and how to explain the case so I can report to them ...
Comment 3 Michael Catanzaro 2018-01-18 08:18:10 PST
(CCing Brent because the privacy implications of (b) below are similar-ish to those of HSTS, and John because this relates to bug #171609.)

(In reply to Andres Gomez Garcia from comment #2)
> If you have to work on this for WKGTK+, is it, then, a bug or missing
> feature in WKGTK+ or an actual bug from ivoox?

It's actually both. The website is IMO broken because it's sending a single certificate with no chain of trust, that's why WebKit refuses to load the stylesheet, and why I picked INVALID as the bug resolution. Other browsers are doing questionable things to verify the chain:

 (a) Firefox caches intermediate certs that it has seen in the past, then uses them to complete broken chains in the future. This leads to nondeterministic certificate verification behavior since whether a particular website works depends on what websites you have visited in the past.
 (b) Other major browsers look in a certificate extension field of the server cert to get a URI to use to download the certificate from out of band. This is a privacy issue as it allows CAs to very easily track which websites you are visiting by using a different URL in each server certificate. Firefox refuses to implement it for this reason.

I'm planning to implement (b), because unless we convince some major browser to change what it's doing, we have to implement one or the other. (b) is what I believe Safari does, and I really don't want to make our certificate verification nondeterministic. See bug #171609, but in particular comment 5 there. My head comment in that bug is wrong because it assumes that Safari implements method (a), but I believe it has actually implemented method (b). Or maybe it does both... I don't know for sure.
Comment 4 Andres Gomez Garcia 2018-01-19 01:55:27 PST
(In reply to Michael Catanzaro from comment #3)
...
> (In reply to Andres Gomez Garcia from comment #2)
> > If you have to work on this for WKGTK+, is it, then, a bug or missing
> > feature in WKGTK+ or an actual bug from ivoox?
> 
> It's actually both. The website is IMO broken because it's sending a single
> certificate with no chain of trust, that's why WebKit refuses to load the
> stylesheet, and why I picked INVALID as the bug resolution.

Thanks for the thorough explanation, Michael.