RESOLVED WONTFIX 155844
Compare leaf certificates if that's all we have in allowsSpecificHTTPSCertificateForHost 
https://bugs.webkit.org/show_bug.cgi?id=155844
Summary Compare leaf certificates if that's all we have in allowsSpecificHTTPSCertifi...
Alex Christensen
Reported 2016-03-24 11:18:35 PDT
Compare leaf certificates if that's all we have in allowsSpecificHTTPSCertificateForHost
Attachments
Patch (1.69 KB, patch)
2016-03-24 11:20 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (1.94 KB, patch)
2016-03-24 21:11 PDT, Alex Christensen 		achristensen: review-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2016-03-24 11:20:16 PDT
Created attachment 274844 [details] Patch
Alex Christensen
Comment 2 2016-03-24 21:11:09 PDT
Created attachment 274880 [details] Patch
Sam Weinig
Comment 3 2016-03-25 22:37:01 PDT
Can we test this?
Alex Christensen
Comment 4 2016-03-28 10:03:19 PDT
Manually, yes. I think this might not be the right solution, though. See rdar://problem/25249263
Alex Christensen
Comment 5 2016-04-28 12:50:10 PDT
This is not needed and not secure.
Michael Catanzaro
Comment 6 2016-04-28 17:00:00 PDT
(In reply to comment #5) > This is not needed Agreed. > and not secure. Why not? If it's exactly the same server (leaf) certificate that the user previously added a security exception for, then it does not matter what the other certificates in the chain are. There's really no reason to look at anything besides the server cert.
Michael Catanzaro
Comment 7 2016-04-28 17:07:29 PDT
Looking at your allowsSpecificHTTPSCertificateForHost, I'm honestly not sure what it's doing. In the soup port, we use allowSpecificHTTPSCertificateForHost ("allow" rather than "allows") to set a certificate that is to be accepted for a host even though it failed normal certificate verification (i.e. when a user clicks through a security warning). But I'm not sure that's what the code you touched is for....
Alex Christensen
Comment 8 2016-04-28 17:13:36 PDT
It's always safer to check the entire chains, especially if you have the entire chains. Hash collision attacks can make the same leaf with different chains, and the user may have accepted the certificate because of the verification of the entire chain, not just the leaf. That said, most browser users don't even know what a certificate chain is, they just click accept so they can see what they think is the content they want to see, so allowing this at all is somewhat insecure.
Note You need to log in before you can comment on or make changes to this bug.