Chromium complains about certificate transparency
41 views
Skip to first unread message
Rune Philosof
Jul 10, 2017, 4:03:12 AM7/10/17
to qubes...@googlegroups.com
Hi
I get an error in Fedora 23 Chromium, that I don't get in Firefox or in Chromium on Debian 8.
I am wondering what is different in the setup of Qubes Fedora 23 that makes this error appear. I guess it is just a matter of using a different version of Chromium (54.0.2840.90 in Fedora and 57.0.2987.98 in Debian).
Has any of you guys encountered the same problem, and what have you done to overcome it?
== The error is:
```
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
The server presented a certificate that was not publicly dislosed using the Certificate Transparence policy. This is a requirement for some certficates, to ensure that they are trustworthy and protect against attackers.
```
I have seen it on https://www.microsoft.com and https://getharvest.com.
--
Venlig
hilsen/Kind regards
Rune Schjellerup Philosof
Softwareudvikler
Egelundsvej 18
DK 5260 Odense S
Rune Schjellerup Philosof
Softwareudvikler
Centic | Softwareudvikling og
IT-konsulenter
Website: www.centic.dkEgelundsvej 18
DK 5260 Odense S
Unman
Jul 10, 2017, 10:20:55 AM7/10/17
to Rune Philosof, qubes...@googlegroups.com
On Mon, Jul 10, 2017 at 10:03:09AM +0200, Rune Philosof wrote:
> Hi
>
> I get an error in Fedora 23 Chromium, that I don't get in Firefox or in
> Chromium on Debian 8.
>
> I am wondering what is different in the setup of Qubes Fedora 23 that makes
> this error appear. I guess it is just a matter of using a different version
> of Chromium (54.0.2840.90 in Fedora and 57.0.2987.98 in Debian).
> Has any of you guys encountered the same problem, and what have you done to
> overcome it?
>
> == The error is:
>
> ```
> NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
> The server presented a certificate that was not publicly dislosed using the
> Certificate Transparence policy. This is a requirement for some
> certficates, to ensure that they are trustworthy and protect against
> attackers.
> ```
>
> I have seen it on https://www.microsoft.com and https://getharvest.com.
>
This is a well known bug in Chrome - fixed I think in 55, and therefore in the Debian version.
> Hi
>
> I get an error in Fedora 23 Chromium, that I don't get in Firefox or in
> Chromium on Debian 8.
>
> I am wondering what is different in the setup of Qubes Fedora 23 that makes
> this error appear. I guess it is just a matter of using a different version
> of Chromium (54.0.2840.90 in Fedora and 57.0.2987.98 in Debian).
> Has any of you guys encountered the same problem, and what have you done to
> overcome it?
>
> == The error is:
>
> ```
> NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
> The server presented a certificate that was not publicly dislosed using the
> Certificate Transparence policy. This is a requirement for some
> certficates, to ensure that they are trustworthy and protect against
> attackers.
> ```
>
> I have seen it on https://www.microsoft.com and https://getharvest.com.
>
You really shouldnt be using Fedora 23 any more - update your template
manually or install a new template:
in dom0 sudo qubes-dom0-update qubes-template-fedora-24
unman
Rune Philosof
Jul 10, 2017, 10:50:37 AM7/10/17
to Unman, qubes...@googlegroups.com
On Mon, Jul 10, 2017 at 4:20 PM, Unman <un...@thirdeyesecurity.org> wrote:
On Mon, Jul 10, 2017 at 10:03:09AM +0200, Rune Philosof wrote:
> I get an error in Fedora 23 Chromium, that I don't get in Firefox or in
> Chromium on Debian 8.
This is a well known bug in Chrome - fixed I think in 55, and therefore in the Debian version.
You really shouldnt be using Fedora 23 any more - update your template
manually or install a new template:
in dom0 sudo qubes-dom0-update qubes-template-fedora-24
unman
Fedora 23 is default in Qubes 3.2.
Fedora 24 isn't exactly recommended on https://www.qubes-os.org/doc/supported-versions/#templatevms.
Although Fedora 23 is unsupported by Fedora. So I agree that Qubes should start informing users that they should upgrade to Fedora 24.
Maybe your upgrade instruction 'sudo qubes-dom0-update qubes-template-fedora-24' should be included on https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/ with some explanation about why one would choose one method over the other.
Rune Schjellerup Philosof
Unman
Jul 10, 2017, 11:11:50 AM7/10/17
to Rune Philosof, qubes...@googlegroups.com
On Mon, Jul 10, 2017 at 04:50:34PM +0200, Rune Philosof wrote:
> On Mon, Jul 10, 2017 at 4:20 PM, Unman <un...@thirdeyesecurity.org> wrote:
>
> > On Mon, Jul 10, 2017 at 10:03:09AM +0200, Rune Philosof wrote:
> > > I get an error in Fedora 23 Chromium, that I don't get in Firefox or in
> > > Chromium on Debian 8.
> >
> > This is a well known bug in Chrome - fixed I think in 55, and therefore in
> > the Debian version.
> > You really shouldnt be using Fedora 23 any more - update your template
> > manually or install a new template:
> > in dom0 sudo qubes-dom0-update qubes-template-fedora-24
> >
> > unman
> >
>
> Fedora 23 is default in Qubes 3.2.
> Fedora 24 isn't exactly recommended on
> https://www.qubes-os.org/doc/supported-versions/#templatevms.
> Although Fedora 23 is unsupported by Fedora. So I agree that Qubes should
> start informing users that they should upgrade to Fedora 24.
It's been extensively covered on this list and in News on the website.
> On Mon, Jul 10, 2017 at 4:20 PM, Unman <un...@thirdeyesecurity.org> wrote:
>
> > On Mon, Jul 10, 2017 at 10:03:09AM +0200, Rune Philosof wrote:
> > > I get an error in Fedora 23 Chromium, that I don't get in Firefox or in
> > > Chromium on Debian 8.
> >
> > This is a well known bug in Chrome - fixed I think in 55, and therefore in
> > the Debian version.
> > You really shouldnt be using Fedora 23 any more - update your template
> > manually or install a new template:
> > in dom0 sudo qubes-dom0-update qubes-template-fedora-24
> >
> > unman
> >
>
> Fedora 23 is default in Qubes 3.2.
> Fedora 24 isn't exactly recommended on
> https://www.qubes-os.org/doc/supported-versions/#templatevms.
> Although Fedora 23 is unsupported by Fedora. So I agree that Qubes should
> start informing users that they should upgrade to Fedora 24.
Perhaps a statement could be added on the "Download" page as well.
>
> Maybe your upgrade instruction 'sudo qubes-dom0-update
> qubes-template-fedora-24' should be included on
> https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/ with some
> explanation about why one would choose one method over the other.
>
you have a heavily customised template, then you may prefer to upgrade it
in place using the instructions on the website.
I prefer to start afresh.
Entirely up to you.
In general, I think the team assumes that users will be handling the
security and configuration of their templates for themselves. There are
tools to help with this (by notifying when updates are available), but
they dont take responsibilty away from the user.
pixel fairy
Jul 13, 2017, 9:57:21 PM7/13/17
to qubes-users, r...@centic.dk, un...@thirdeyesecurity.org
On Monday, July 10, 2017 at 8:11:50 AM UTC-7, Unman wrote:
> On Mon, Jul 10, 2017 at 04:50:34PM +0200, Rune Philosof wrote:
> On Mon, Jul 10, 2017 at 04:50:34PM +0200, Rune Philosof wrote:
> > On Mon, Jul 10, 2017 at 4:20 PM, Unman wrote:
> >
> >
> > Maybe your upgrade instruction 'sudo qubes-dom0-update
> > qubes-template-fedora-24' should be included on
> > https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/ with some
> > explanation about why one would choose one method over the other.
fedora-24 is also out of support. install fedora-25.
Reply all
Reply to author
Forward
0 new messages