[Webkit-unassigned] [Bug 196182] Using Application Cache on HTTPS websites breaks browser security indicators (e.g. webkit_web_view_get_tls_info()); CertificateInfo not properly cached

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Mar 24 17:30:30 PDT 2019


--- Comment #6 from Alexey Proskuryakov <ap at webkit.org> ---
> Why not? If WebKit caches aren't trusted, then we have a big problem!

Locally running malware can modify appcache, but it can't change the content of webpages.

So yes, the user has a big problem in this scenario, but we shouldn't make it bigger by letting the attacker poison the cache for https pages, and especially EV.

> I don't think we need to store trust decisions in the cache, anyway. If we
> just encode the CertificateInfo into the cache using the existing
> WTF::Persistence coders, then the certificate's trust can be evaluated at
> runtime.

With network access, which is not OK for appcache served pages.

I do agree that there is a problem here, but I think that the solution to it is not using appcache.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190325/3234dedc/attachment.html>

More information about the webkit-unassigned mailing list