Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(1119)

Issue 2495583002: Defang the CT Timebomb (Closed)

Created:
3 years, 2 months ago by Ryan Sleevi
Modified:
3 years, 2 months ago
Reviewers:
davidben
CC:
chromium-reviews, cbentzel+watch_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Defang the CT Timebomb A timebomb existed that if the set of known CT logs goes stale, no certificate can comply with the Certificate Transparency policy, beause the logs may be out of date and not trustworthy. The set of known logs goes stale 10 weeks after the build date. While this was acceptable to cause EV certificates to downgrade to DV certificates, this also means that certificates issued by CAs that MUST be CT compliant also fail to work - they fail closed, rather than fail open. In particular, certificates issued by Symantec fail to work if it's more than 10 weeks after the build date - in effect, the default behaviour is to distrust Symantec. While the proper behaviour is debated - to either fail open (like HSTS and HPKP do), treating CT as additive, or to fail closed, treating CT as a restrictive policy that must be made - change the code to allow an out of date build to skip the CT checks, failing open. BUG=664177 Committed: https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2 Cr-Commit-Position: refs/heads/master@{#431707}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+6 lines, -0 lines) Patch
M net/quic/chromium/crypto/proof_verifier_chromium.cc View 1 chunk +2 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_impl.cc View 1 chunk +2 lines, -0 lines 0 comments Download
M net/spdy/spdy_session.cc View 1 chunk +2 lines, -0 lines 0 comments Download

Messages

Total messages: 8 (3 generated)
Ryan Sleevi
3 years, 2 months ago (2016-11-10 17:18:06 UTC) #2
davidben
lgtm
3 years, 2 months ago (2016-11-11 12:52:54 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2495583002/1
3 years, 2 months ago (2016-11-11 22:49:46 UTC) #5
commit-bot: I haz the power
Committed patchset #1 (id:1)
3 years, 2 months ago (2016-11-12 00:32:58 UTC) #6
commit-bot: I haz the power
3 years, 2 months ago (2016-11-12 00:36:24 UTC) #8
Message was sent while issue was closed.
Patchset 1 (id:??) landed as
https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2
Cr-Commit-Position: refs/heads/master@{#431707}

Powered by Google App Engine
This is Rietveld 408576698