Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(350)

Issue 2495583002: Defang the CT Timebomb (Closed)

Created:
4 years, 1 month ago by Ryan Sleevi
Modified:
4 years, 1 month ago
Reviewers:
davidben
CC:
chromium-reviews, cbentzel+watch_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Defang the CT Timebomb A timebomb existed that if the set of known CT logs goes stale, no certificate can comply with the Certificate Transparency policy, beause the logs may be out of date and not trustworthy. The set of known logs goes stale 10 weeks after the build date. While this was acceptable to cause EV certificates to downgrade to DV certificates, this also means that certificates issued by CAs that MUST be CT compliant also fail to work - they fail closed, rather than fail open. In particular, certificates issued by Symantec fail to work if it's more than 10 weeks after the build date - in effect, the default behaviour is to distrust Symantec. While the proper behaviour is debated - to either fail open (like HSTS and HPKP do), treating CT as additive, or to fail closed, treating CT as a restrictive policy that must be made - change the code to allow an out of date build to skip the CT checks, failing open. BUG=664177 Committed: https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2 Cr-Commit-Position: refs/heads/master@{#431707}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+6 lines, -0 lines) Patch
M net/quic/chromium/crypto/proof_verifier_chromium.cc View 1 chunk +2 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_impl.cc View 1 chunk +2 lines, -0 lines 0 comments Download
M net/spdy/spdy_session.cc View 1 chunk +2 lines, -0 lines 0 comments Download

Messages

Total messages: 8 (3 generated)
Ryan Sleevi
4 years, 1 month ago (2016-11-10 17:18:06 UTC) #2
davidben
lgtm
4 years, 1 month ago (2016-11-11 12:52:54 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2495583002/1
4 years, 1 month ago (2016-11-11 22:49:46 UTC) #5
commit-bot: I haz the power
Committed patchset #1 (id:1)
4 years, 1 month ago (2016-11-12 00:32:58 UTC) #6
commit-bot: I haz the power
4 years, 1 month ago (2016-11-12 00:36:24 UTC) #8
Message was sent while issue was closed.
Patchset 1 (id:??) landed as
https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2
Cr-Commit-Position: refs/heads/master@{#431707}

Powered by Google App Engine
This is Rietveld 408576698