Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680042 - www-client/chromium should enforce built-in HTTPS public key pins
Summary: www-client/chromium should enforce built-in HTTPS public key pins
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-11 14:06 UTC by Maciej S. Szmigiero
Modified: 2019-03-13 20:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
patch to reenable static pinning (chromium-enable-static-pinning.patch,720 bytes, patch)
2019-03-11 14:07 UTC, Maciej S. Szmigiero
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej S. Szmigiero 2019-03-11 14:06:53 UTC
Currently, www-client/chromium does not enforce built-in (static)
public key HTTPS pins.
This is caused by a code in net/http/transport_security_state.cc that
disables these pins (and a similar, static Expect-CT list) for
non-Google builds.

Note that these hashes are getting built-in into a Chromium binary anyway,
just never getting used.

Gentoo ships the same pin list in Firefox and Thunderbird, where it is
normally enforced, so there is no reason why Chromium should be different
in this regard.
Besides that, Chromium will automatically disable enforcing of static pins
once 10 weeks passes since the time the browser was compiled (see
TransportSecurityState::IsBuildTimely() in net/http/transport_security_state.cc).

The attached patch enables these pins also for our builds.

A test site for HTTPS public key pinning can be reached at
https://pinning-test.badssl.com/
Comment 1 Maciej S. Szmigiero 2019-03-11 14:07:49 UTC
Created attachment 568580 [details, diff]
patch to reenable static pinning
Comment 2 Mike Gilbert gentoo-dev 2019-03-11 15:21:50 UTC
Please submit a patch upstream to make this configurable via gn.
Comment 3 Maciej S. Szmigiero 2019-03-13 20:54:42 UTC
> Please submit a patch upstream to make this configurable via gn.

Would Gentoo make use of such option in its www-client/chromium
ebuilds if upstream makes it available?

If not, it will be hard to convince Chromiumm developers to add
an option which will isn't going to be used.