- DevTools security panel: I might or might not hold the opinion (I can't decide) that the security panel is designed specifically as a debugging tool for developers, and it's not "secure UI" despite the fact that it displays security-relevant information.
We removed the explanation on the Lock Icon under the statement that DevTools will replace it. It would sound like we replaced "trusted UI" with "untrusted UI" (mod the existing caveat that seems to have regressed that we're trusting the renderer regardless, which was arguably a bug to begin with)In my mind, the separation is that the browser UI contains the trusted information that an end user needs to make decisions about their security and privacy, whereas the security panel contains information useful for developers to debug their sites, which we were okay with making untrusted. The hazy middle ground, in my opinion, is power users: we probably took away information from trusted UI that they use to make security/privacy decisions.
On Mon, Apr 11, 2016 at 6:52 PM, Emily Stark <est...@chromium.org> wrote:We removed the explanation on the Lock Icon under the statement that DevTools will replace it. It would sound like we replaced "trusted UI" with "untrusted UI" (mod the existing caveat that seems to have regressed that we're trusting the renderer regardless, which was arguably a bug to begin with)In my mind, the separation is that the browser UI contains the trusted information that an end user needs to make decisions about their security and privacy, whereas the security panel contains information useful for developers to debug their sites, which we were okay with making untrusted. The hazy middle ground, in my opinion, is power users: we probably took away information from trusted UI that they use to make security/privacy decisions.Agreed. This also brings into question how we handle EV - are we (effectively) trusting the renderer process to tell us something is EV or not? And what certificate it is? Right now, we position EV as something that's useful to users to make an informed decision about security/privacy, but perhaps that's not the case in the implementation?
Having looked at the code more, it definitely seems like we've been placing a lot of trust in the renderer. The CertStore was part of trying to not do that (only certificates a renderer has used are accessible to it), but perhaps didn't do so completely.
On Mon, Apr 11, 2016 at 7:01 PM, Ryan Sleevi <rsl...@chromium.org> wrote:
Agreed. This also brings into question how we handle EV - are we (effectively) trusting the renderer process to tell us something is EV or not? And what certificate it is? Right now, we position EV as something that's useful to users to make an informed decision about security/privacy, but perhaps that's not the case in the implementation?
Yes, insofar as the renderer populates the SSLStatus on the NavigationEntry, but I feel like maybe that's not what you're getting at? I thiiiiink the security panel is totally EV-agnostic and doesn't differentiate EV in any way, not 100% sure though.Having looked at the code more, it definitely seems like we've been placing a lot of trust in the renderer. The CertStore was part of trying to not do that (only certificates a renderer has used are accessible to it), but perhaps didn't do so completely.I don't think there's a meaningful security boundary there; even if cert ids weren't predictable, a renderer can request subresources for whatever sites it wants and then it learns the cert ids of those certificates. (Though maybe at some point in history there a plan to lock that down in some way that I don't know about.)