Does anyone know whether the certificate transparency feature as promoted by Google can/will apply to private installed CAs?
It seems like Chrome is already enforcing CT in some situations, presumably by auditing public CA logs. For private CAs that do legitimate Man-in-the-middle, there obviously won't be public CA auditing information, and it would be good to know that Chrome won't balk at that.
The CT enforcement policy applies only to public CAs, not self-signed or private CAs. The closest thing I could find confirming this was this tweet from Google's Ryan Sleevi.
CT enforcement policy also seems to be applied to internal EV certificates.
Whereas in Internet Explorer the addressbar is green with EV company name, and in chrome it is only listed as "Secure | https".
Still an issue, private certs does have issues with CT, as I've explained here:
Referrer policy hide the referrer of self-signed certificates
The official docs make it clear that Certificate Transparency only applies to CAs that are publicly-trusted - that is, CAs that are supported by your browser or device out of the box, without any additional configuration steps.
For CAs that have been manually installed, provided those certificates are not or have not been publicly-trusted, it‘s not necessary to enable support for Certificate Transparency. Further, Certificate Transparency Logs will not accept certificates from those CAs, thus it’s not possible to support CT.
Ref:
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md#Locally_trusted-CAs
Related
I got the following code in happening on my site, and I tried my best cant grasp this, so I have a couple questions, please read.
category-search-Forum:1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I've seen many people speak about this, on stack and other online places, but none have explained exactly how to add SameSite=None.
1 QUESTION: how or where do you add the SameSite=None?
and looking at the error , what is and 'Secure'
does that mean SameSite=Secure?
What is the difference between SameSite=None and SameSite=Secure?
As discussed here: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
This is actually a server side issue. All it is saying, is that you are using a resource from another site (most often JS or CSS) and that server is attempting to set a cookie; however, it does not have the SameSite attribute set.
This is being done due to:
Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
As your post doesn't define if you are working server side or client side, my assumption is you are working client side and as such, there isn't anything you can do about it as that resource needs to update it. HOWEVER, if you are doing server side dev, here is a list of resources for different languages: https://github.com/GoogleChromeLabs/samesite-examples
TLDR; If you are client side dev, then this is because a linked resource does not have this set and there is nothing you can do about it. If you are server side dev, checkout the github link for examples on how to fix this for your site.
Edit: If you just want to get rid of the message, the solution was discussed here: Chrome Console SameSite Cookie Attribute Warning where you can disable them through chrome://flags Cookie Deprecation messages disabled.
I ran into a similar problem with my Electron APP / Browser side
fetch's credentials: 'omit' solved the warning issue for me
// Example
await fetch('https://example.com', {credentials: 'omit'});
I am writing it here because this is the first link in Google, I believe it will help someone like me; xoxoxo
Github pages custom domain service automatically issue a Let’s Encrypt SSL certificate for https connection. my problem is, how to get the private key of this certificate? is it possible?
if the certificate is obtained by myself, the private key locate in /etc/letsencrypt/live, but github pages seem not support self obtained certificate.
That feature has been proposed since May 2018, and is part of the "Securing your GitHub Pages site with HTTPS"
It is a server-side (github.io) feature, which means the private key remains... private, on the server.
It should therefore not be possible to get it back.
I see some website have changed the label on chromes ssl certificate, next to the url, from "Secure" to something else. Example: https://sunday.dk/ (Where the label is "Danske Bank A/S [DK]):
This is a particular type of SSL certificate called Extended Verification (EV)
An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA).
Have a look on Google for "extended verification ssl certificates" and you'll find lots of providers who will sell you one.
As a word of warning, there is quite a bit of admin in order to get the certificate issued. If you're familiar with buying normal SSL certs then this is a quick process and is mostly automated and takes a few minutes. I have spent a couple of weeks going back and forth to get an EV.
I need to bypass/prevent privacy error message of "Your connection is not private" or automatically proceed to (unsafe) .
I can accept unsafe connection by clicking on advance but, it's not permanent.It will again shows after system restart.
Chrome version is "51.0.2704.63 m"
I have tried various links but still I don't found any fix for this.
I have tried this but not getting setting "Remember decisions to proceed through SSL errors for a specified length of time. "
: https://kb.paessler.com/en/topic/63157-how-can-i-stop-google-chrome-showing-me-a-connection-not-private-message
Adding site as trusted site also not worked for me : http://kb.mcgill.ca/?portalid=2&articleid=1925#tab:homeTab:crumb:8:artId:1925:src:article
By adding your self signed certificate as trusted root you won't get the warning page anymore but the red lock will remain. You will need to do this for each certificate you want Chrome to trust.
View the certificate by clicking the red lock next to the URL and clicking "Certificate"
Go to the "Details" tab and "Copy to file..." and run through the wizard
Go to chrome://settings/?search=manage+certificates and click "Manage Certificates"
Add the certificate you just saved
Note: Chrome uses the Windows certificate store but you can access it as described above.
I know this post is old and you might have already got answer to the question. However, i would like to provide more insight into removing the security warning from browsers. Basically, any browser confirms below list items before marking a website/url secure:
Match the base DNS with that of the certificate CN (Note that the port number doesn't come into picture in this case). For example, if you are accessing https://example.com:8445/something, the certificate CN should be "example.com"
The self-signed certificate has to be imported into the respective trust store (Root Certification Authorities) of the system.
The certificate must have a SAN (Subject Alternative Name), that matches the DNS. With respect to previous example, the certificate must have at least one SAN equivalent to "example.com". This is a must, and most of the folks miss out on this point, and could not understand why the browser doesn't trust the certificate.
Now, all the above 3 criteria cannot be met unless the certificate is signed by a CA. However, there is an easy way. Go to https://freesslcert.org/ to receive a completely free 1 year certificate with all the above criteria incorporated. Follow the steps mentioned in https://freesslcert.org/trust-freesslcert-in-browser and you are all set.
I've created a certificate and a key using openssl, and using node.js to server a simple (hello world) file.
Chrome acts like the request never gets to the server (server logs too confirms).
Firefox warns about the certificate, but lets you access the file.
See attached image.
Any ideas?
OS: mac 10.9.5
Chrome: Version 41.0.2272.118 (64-bit)
The whole purpose of certificates is to be signed by a third entity, called a Certificate Authority (CA). A client will generally not accept a certificate given by a server unless the server produces a certificate signed by a CA specifically known to the client.
The 'identity' of a CA and the process of 'signature' are cryptographic concepts that are very precise and strict in order to avoid bad guys impersonating other people (your bank, Google, etc.).
Browsers usually allow you to accept untrusted certificates on a per-session basis, because bad certificates are everywhere and are not necessarily always a sign of malicious activity going on. However automatic code (Node.js included) will almost universally reject bad cetrtificates, because there's no way to ask a user for an override.
What you need to do is to generate a CA certificate and instruct you node.js client to trust it. I think the following links to a valid sample:
https://github.com/coolaj86/nodejs-ssl-trusted-peer-example. Look specifically at request.js - the relevant line is
fs.readFileSync(path.join(__dirname, 'certs', 'client', 'my-root-ca.crt.pem'))
Try to troubleshoot this further. Try other clients or an http(s) proxy.
Specifically I would try other browsers, https://github.com/iSECPartners/sslyze, Fiddler, curl, and other similar tools.