In-progress patch for TLS-SRP (RFC 5054) support
427 views
Skip to first unread message
Quinn Slack
Apr 6, 2011, 6:56:15 AM4/6/11
to Chromium-discuss
I am working on a large patch that adds TLS-SRP (RFC 5054)[1] support
to Chrome. This lets Chrome mutually authenticate and establish TLS
sessions with Web sites using only a username and password; no
certificate is required. It is working now; of course, much, much more
needs to be done, but you can try it out now.
Patch[2], instructions, and Linux binary at: http://trustedhttp.org/wiki/TLS-SRP_in_Chrome
The patch includes additions to Chrome net/ and chrome/ as well as
OpenSSL, NSS, and TLS Lite. It updates the URLRequest, HTTP
transaction, and NSS SSL client socket code in net/ and exposes
SetTLSLogin and ContinueWithTLSLogin (etc.) methods in URLRequest. The
UI code presents a login dialog when users browse to TLS-SRP-enabled
servers and displays the logged-in username in the location bar. It
also displays the TLS-SRP security information in the page info
display.
There are lots of tests, but more are needed. Other issues are listed
on the wiki page, notably: (1) it only works on Linux right now, and
(2) the login form needs to be in the browser chrome so that it's
harder to spoof.
This is a fairly significant addition, so I want to start getting
feedback early on. I am specifically interested in hearing any
thoughts regarding (1) making a login form that's tough to spoof; (2)
where/how to display the logged-in username in the location bar (right
now, it's on the right in a blue EV-like bubble); and (3) how/whether
to offer log in (from HTTP or cert HTTPS to SRP HTTPS) and log out
functionality. Also, are there any committers who have advice on how
to move this patch forward?
[1] TLS-SRP (RFC 5054): http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/chromium+tls-srp-20110406.patch -- also
requires other patches listed on the wiki page
-Quinn
to Chrome. This lets Chrome mutually authenticate and establish TLS
sessions with Web sites using only a username and password; no
certificate is required. It is working now; of course, much, much more
needs to be done, but you can try it out now.
Patch[2], instructions, and Linux binary at: http://trustedhttp.org/wiki/TLS-SRP_in_Chrome
The patch includes additions to Chrome net/ and chrome/ as well as
OpenSSL, NSS, and TLS Lite. It updates the URLRequest, HTTP
transaction, and NSS SSL client socket code in net/ and exposes
SetTLSLogin and ContinueWithTLSLogin (etc.) methods in URLRequest. The
UI code presents a login dialog when users browse to TLS-SRP-enabled
servers and displays the logged-in username in the location bar. It
also displays the TLS-SRP security information in the page info
display.
There are lots of tests, but more are needed. Other issues are listed
on the wiki page, notably: (1) it only works on Linux right now, and
(2) the login form needs to be in the browser chrome so that it's
harder to spoof.
This is a fairly significant addition, so I want to start getting
feedback early on. I am specifically interested in hearing any
thoughts regarding (1) making a login form that's tough to spoof; (2)
where/how to display the logged-in username in the location bar (right
now, it's on the right in a blue EV-like bubble); and (3) how/whether
to offer log in (from HTTP or cert HTTPS to SRP HTTPS) and log out
functionality. Also, are there any committers who have advice on how
to move this patch forward?
[1] TLS-SRP (RFC 5054): http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/chromium+tls-srp-20110406.patch -- also
requires other patches listed on the wiki page
-Quinn
agl
Apr 6, 2011, 3:52:20 PM4/6/11
to Chromium-discuss
On Apr 6, 6:56 am, Quinn Slack <s...@cs.stanford.edu> wrote:
> I am working on a large patch that adds TLS-SRP (RFC 5054)[1] support
> to Chrome. This lets Chrome mutually authenticate and establish TLS
> sessions with Web sites using only a username and password; no
> certificate is required. It is working now; of course, much, much more
> needs to be done, but you can try it out now.
(Since you have code etc, chromium-dev would have been the correct
> I am working on a large patch that adds TLS-SRP (RFC 5054)[1] support
> to Chrome. This lets Chrome mutually authenticate and establish TLS
> sessions with Web sites using only a username and password; no
> certificate is required. It is working now; of course, much, much more
> needs to be done, but you can try it out now.
mailing list for this but someone forwarded me a pointer.)
I shall look over the code, hopefully by tomorrow. If possible, could
you upload it to the codereview site (see [1]) and email me a pointer?
[1] http://dev.chromium.org/developers/contributing-code
Cheers
AGL
Quinn Slack
Apr 6, 2011, 7:30:32 PM4/6/11
to Chromium-discuss, agl
On Apr 6, 12:52 pm, agl <a...@chromium.org> wrote:
> I shall look over the code, hopefully by tomorrow. If possible, could
> you upload it to the codereview site (see [1]) and email me a pointer?
Thank you. I've opened a code review at http://codereview.chromium.org/6804032/.
> I shall look over the code, hopefully by tomorrow. If possible, could
> you upload it to the codereview site (see [1]) and email me a pointer?
-Quinn
Heri Sim
Jul 31, 2014, 12:08:06 PM7/31/14
to chromium...@chromium.org
Hi Quinn, any updates on this? Is this patch in the mainline now? Which release?
Reply all
Reply to author
Forward
0 new messages