Add (known|blocked)-interception.badssl.com tests

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

https://badssl.com

Apache License 2.0

2.81k stars 190 forks source link

Add (known|blocked)-interception.badssl.com tests #423

Closed christhompson closed 4 years ago

christhompson commented 4 years ago

In Chrome, we are adding two new variations of CRLSets for when we want to block or alert on certificates or roots that are known to be used for network interception and monitoring (the new CRLSet types and errors were added in https://crrev.com/c/1904545).

To help with manual testing, this PR adds two new subdomains that will serve new (trusted) certificates with new keys for each:

blocked-interception.badssl.com (Chrome would show a new interstitial)
known-interception.badssl.com (Chrome would show a new passive warning)

After these certificates are issued, my plan is to add them to the new CRLSets lists (in Chrome source and in the component). Non-Chrome browsers won't pick up these new CRLSets by default.

I wanted to file the initial version of this PR to solicit reviews from before ordering the certificates (once we have the certs I'll add the chains to this PR). @lgarron what do you think?

lgarron commented 4 years ago

How does this relate to https://captive-portal.badssl.com/ and https://mitm-software.badssl.com/ ? I've noticed the latter is not working for a while.

meacer commented 4 years ago

Hi Lucas!

This is different than captive-portal and mitm-software interstitials in that it uses CRLSets rather than the component updater. You can find the details in crbug.com/1014704 and crbug.com/1014711

Do we need to do a push to get the new subdomain live, or are the changes automatically picked up? I'd like to use it for testing sometime soon :)

lgarron commented 4 years ago

We do need a push, although I'd love to set up an automated deployment!

If we're comfortable giving GitHub Actions deployment access, it should be pretty easy!

(Last I knew, though, our Google Cloud project had IP restrictions. I'm actually not on the project right now, so I can't check.)

christhompson commented 4 years ago

Sorry for going OOO after uploading this :-)

I'll request the new certs for these and then push the new update.

(I've also wished for automated deployments, but haven't had time to prioritize working on it. The main blocker IIRC was making sure the right keys/certs get inserted into the build so they don't have to rely on existing server state.)

christhompson commented 4 years ago

These are now live:

PR #425 adds the cert chains.

https://crrev.com/c/1968635 will add these to the local blocklist in Chrome after which they will trigger the new UIs.