[Webkit-unassigned] [Bug 266196] Certificate error for playstation.com signed by DigiCert but not other DigiCert signed sites

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Dec 10 16:50:10 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=266196

Michael Catanzaro <mcatanzaro at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |don.olmstead at sony.com,
                   |                            |mcatanzaro at redhat.com
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Michael Catanzaro <mcatanzaro at redhat.com> ---
Hi, this is a server configuration error. playstation.com is sending its server certificate twice by mistake, and is not sending the issuer cert DigiCert Global G2 TLS RSA SHA256 2020 CA1, so there is no chain of trust and the rejection is correct. This is the sort of mistake that can only happen when you don't do any validity tests at all, because it will be caught by every test program imaginable. playstation.com should replace its extra playstation.com certificate with the missing DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate, and then it will work.

(In reply to Alina Marquardt from comment #0)
> In contrast, Firefox 120 on the same system, a recent Ungoogled Chromium and
> even Safari 15 on macOS 10.15 have no problem regarding playstation.com's
> certificate as valid.

Firefox goes out of its way to proactively download a big hardcoded list of intermediate certificates to reduce validation errors. It's even nondeterministic because it downloads a set number of certificates per day and whether the validation succeeds depends on whether or not you have the right certificate on any given day. That's nuts; we don't want that.

Chrome follows AuthorityInformationAccess to download the missing certificate automatically. This is more reasonable and I have a semi-working implementation of this from four years ago, but it's not good enough to land yet. I'll hopefully get back to it eventually. The downside of this is it allows the certificate authority to easily track you when visiting misconfigured websites, which is why Firefox doesn't do it, but our hand has been forced IMO. You can follow https://gitlab.gnome.org/GNOME/glib-networking/-/issues/96 if you want to see updates regarding this. Note the website should be fixed anyway because (a) obviously not everyone supports this, and (b) it's very slow.

I don't know what macOS does, but without any info I'd guess it uses AuthorityInformationAccess.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231211/40fdb06d/attachment.htm>

More information about the webkit-unassigned mailing list