r62178 - in trunk/src: chrome/app chrome/browser chrome/browser/ssl net/base
fin...@chromium.org
Date: Mon Oct 11 13:12:54 2010
New Revision: 62178
Log:
Fix 58162: Mixed Content False Positive for intranet hostname certificates
Previously, we lumped the intranet host warning in with mixed content warning. This calls it out as a separate warning.
BUG=58162
TEST=None
Review URL: http://codereview.chromium.org/3536019
Modified:
trunk/src/chrome/app/generated_resources.grd
trunk/src/chrome/browser/page_info_model.cc
trunk/src/chrome/browser/ssl/ssl_host_state.cc
trunk/src/chrome/browser/ssl/ssl_policy.cc
trunk/src/net/base/cert_status_flags.h
trunk/src/net/base/net_error_list.h
Modified: trunk/src/chrome/app/generated_resources.grd
==============================================================================
--- trunk/src/chrome/app/generated_resources.grd (original)
+++ trunk/src/chrome/app/generated_resources.grd Mon Oct 11 13:12:54 2010
@@ -5802,6 +5802,9 @@
<message name="IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY" desc="The text of the identity section when the page is not secure.">
The identity of this website has not been verified.
</message>
+ <message name="IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME" desc="The text of the identity section when the host is not unique (such as with Intranet host names).">
+ The identity of the server you are connected to cannot be fully validated. You are connected to a server using a name only valid within your network, which an external certificate authority has no way to validate ownership of. As some certificate authorities will issue certificates for these names regardless, there is no way to ensure you are connected to the intended website and not an attacker.
+ </message>
<message name="IDS_PAGE_INFO_SECURITY_TAB_UNABLE_TO_CHECK_REVOCATION" desc="The text of the identity section when we were unable to check if the certificate has been revoked.">
Unable to check whether the certificate has been revoked.
Modified: trunk/src/chrome/browser/page_info_model.cc
==============================================================================
--- trunk/src/chrome/browser/page_info_model.cc (original)
+++ trunk/src/chrome/browser/page_info_model.cc Mon Oct 11 13:12:54 2010
@@ -141,6 +141,12 @@
IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY));
icon_id = ssl.security_style() == SECURITY_STYLE_UNAUTHENTICATED ?
ICON_STATE_WARNING_MAJOR : ICON_STATE_ERROR;
+
+ if (ssl.cert_status() & net::CERT_STATUS_NON_UNIQUE_NAME) {
+ description += ASCIIToUTF16("\n\n");
+ description += l10n_util::GetStringUTF16(
+ IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME);
+ }
}
sections_.push_back(SectionInfo(
icon_id,
Modified: trunk/src/chrome/browser/ssl/ssl_host_state.cc
==============================================================================
--- trunk/src/chrome/browser/ssl/ssl_host_state.cc (original)
+++ trunk/src/chrome/browser/ssl/ssl_host_state.cc Mon Oct 11 13:12:54 2010
@@ -6,17 +6,6 @@
#include "base/logging.h"
-namespace {
-
-static const char kDot = '.';
-
-static bool IsIntranetHost(const std::string& host) {
- const size_t dot = host.find(kDot);
- return dot == std::string::npos || dot == host.length() - 1;
-}
-
-} // namespace
-
SSLHostState::SSLHostState() {
}
@@ -31,12 +20,6 @@
bool SSLHostState::DidHostRunInsecureContent(const std::string& host,
int pid) const {
DCHECK(CalledOnValidThread());
-
- // CAs issue certificates for intranet hosts to everyone. Therefore, we
- // always treat intranet hosts as having run insecure content.
- if (IsIntranetHost(host))
- return true;
-
return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));
}
Modified: trunk/src/chrome/browser/ssl/ssl_policy.cc
==============================================================================
--- trunk/src/chrome/browser/ssl/ssl_policy.cc (original)
+++ trunk/src/chrome/browser/ssl/ssl_policy.cc Mon Oct 11 13:12:54 2010
@@ -32,6 +32,17 @@
#include "net/base/ssl_info.h"
#include "webkit/glue/resource_type.h"
+namespace {
+
+static const char kDot = '.';
+
+static bool IsIntranetHost(const std::string& host) {
+ const size_t dot = host.find(kDot);
+ return dot == std::string::npos || dot == host.length() - 1;
+}
+
+} // namespace
+
SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
: backend_(backend) {
DCHECK(backend_);
@@ -151,6 +162,15 @@
return;
}
+ if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) {
+ // CAs issue certificates for intranet hosts to everyone. Therefore, we
+ // mark intranet hosts as being non-unique.
+ if (IsIntranetHost(entry->url().host())) {
+ entry->ssl().set_cert_status(entry->ssl().cert_status() |
+ net::CERT_STATUS_NON_UNIQUE_NAME);
+ }
+ }
+
// If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error,
// don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN.
int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS;
Modified: trunk/src/net/base/cert_status_flags.h
==============================================================================
--- trunk/src/net/base/cert_status_flags.h (original)
+++ trunk/src/net/base/cert_status_flags.h Mon Oct 11 13:12:54 2010
@@ -22,6 +22,7 @@
CERT_STATUS_INVALID = 1 << 7,
CERT_STATUS_WEAK_SIGNATURE_ALGORITHM = 1 << 8,
CERT_STATUS_NOT_IN_DNS = 1 << 9,
+ CERT_STATUS_NON_UNIQUE_NAME = 1 << 10,
// Bits 16 to 30 are for non-error statuses.
CERT_STATUS_IS_EV = 1 << 16,
Modified: trunk/src/net/base/net_error_list.h
==============================================================================
--- trunk/src/net/base/net_error_list.h (original)
+++ trunk/src/net/base/net_error_list.h Mon Oct 11 13:12:54 2010
@@ -25,7 +25,7 @@
// finally completed.
NET_ERROR(IO_PENDING, -1)
-// A generic failure occured.
+// A generic failure occurred.
NET_ERROR(FAILED, -2)
// An operation was aborted (due to user action).
@@ -157,7 +157,7 @@
NET_ERROR(WINSOCK_UNEXPECTED_WRITTEN_BYTES, -124)
// An SSL peer sent us a fatal decompression_failure alert. This typically
-// occurs when a peer selects DEFLATE compression in the mismaken belief that
+// occurs when a peer selects DEFLATE compression in the mistaken belief that
// it supports it.
NET_ERROR(SSL_DECOMPRESSION_FAILURE_ALERT, -125)
@@ -278,13 +278,16 @@
// valid fingerprints. But the certificate presented was not in this list.
NET_ERROR(CERT_NOT_IN_DNS, -209)
+// The host name specified in the certificate is not unique.
+NET_ERROR(CERT_NON_UNIQUE_NAME, -210)
+
// Add new certificate error codes here.
//
// Update the value of CERT_END whenever you add a new certificate error
// code.
// The value immediately past the last certificate error code.
-NET_ERROR(CERT_END, -210)
+NET_ERROR(CERT_END, -211)
// The URL is invalid.
NET_ERROR(INVALID_URL, -300)
@@ -365,7 +368,7 @@
// There is a SPDY protocol framing error.
NET_ERROR(SPDY_PROTOCOL_ERROR, -337)
-// Credentials could not be estalished during HTTP Authentication.
+// Credentials could not be established during HTTP Authentication.
NET_ERROR(INVALID_AUTH_CREDENTIALS, -338)
// An HTTP Authentication scheme was tried which is not supported on this
@@ -471,7 +474,7 @@
// Import failed - certificate already exists in database.
// Note it's a little weird this is an error but reimporting a PKCS12 is ok
-// (no-op). That's how mozilla does it, though.
+// (no-op). That's how Mozilla does it, though.
NET_ERROR(IMPORT_CERT_ALREADY_EXISTS, -704)
// CA import failed due to some other error.
