Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

SSL Trust Validation too strict [does not match Safari's relaxed validation] #5543

Closed
Brandon-T opened this issue Jun 17, 2022 · 1 comment · Fixed by #7588
Closed

SSL Trust Validation too strict [does not match Safari's relaxed validation] #5543

Brandon-T opened this issue Jun 17, 2022 · 1 comment · Fixed by #7588
Assignees
@Brandon-T
Labels
enhancement Epic: Security QA Pass - iPhone QA/Yes release-notes/include
Milestone
1.52

Comments

@Brandon-T
Copy link
Collaborator

Description:

  • Brave-iOS SSL trust validation is too strict; it validates the BasicX509Policy and Mixed-Content
  • All other browsers on iOS validate only the SSLTrustPolicy and do not validate Mixed-Content
  • iOS blocks Mixed-Content by default, so no need to validate it

Steps to Reproduce

  1. Visit https://kevsong.com
  2. Notice the icon in the URL bar + the certificate viewer says the website is not secure

Actual result:

  • Website is not secure

Expected result:

  • Website should be secure as per other browsers relaxed trust validation

Reproduces how often: [Easily reproduced, Intermittent Issue]
Easily reproduced

Brave Version:

  • Any

Device details:

  • Any

Website problems only:

  • Did you check in Safari/Firefox (WkWebView-based browsers)? Yes
  • Happens only in Brave-iOS
@Brandon-T Brandon-T added this to the 1.40 milestone Jun 17, 2022
@Brandon-T Brandon-T self-assigned this Jun 17, 2022
@Brandon-T Brandon-T mentioned this issue Jun 17, 2022
Closed
7 tasks
@iccub iccub removed this from the 1.40 milestone Jun 21, 2022
@Brandon-T Brandon-T mentioned this issue Jun 8, 2023
Merged
11 tasks
@iccub iccub added this to the 1.52 milestone Jun 13, 2023
iccub pushed a commit that referenced this issue Jun 13, 2023
@Brandon-T
Fix #5543: Relax SSL Certificate Validation to match all other browse…
4ee6a51 
…rs (#7588)

Relax SSL validation. Use Chromium validation over Apple's validation.
If Chromium returns a value indicating that the system should handle it, then we use Apple's validation.
However, we disable X509 validation and only validate it for SSL.

Signed-off-by: Brandon T <[email protected]>
iccub pushed a commit that referenced this issue Jun 13, 2023
@Brandon-T @iccub
Fix #5543: Relax SSL Certificate Validation to match all other browse…
0ceb35e 
…rs (#7588)

Relax SSL validation. Use Chromium validation over Apple's validation.
If Chromium returns a value indicating that the system should handle it, then we use Apple's validation.
However, we disable X509 validation and only validate it for SSL.

Signed-off-by: Brandon T <[email protected]>
@hffvld
Copy link
Collaborator

hffvld commented Jun 16, 2023

Verified on iPhone 14 using version(s):

Device/OS: iPhone 14 [iOS 16.5]
Version 1.52 (23.6.14.13)
BraveCore 1.52.125 (114.0.5735.110)

STEPS:

  1. Launch Brave
  2. Go to https://kevsong.com
  3. Verify the icon in the URL bar + the certificate viewer

ACTUAL RESULTS:

  • Verified that the icon in the URL search bar is shown a lock
  • Verified that the certificate viewer is showing that the website https://kevsong.com is secure and valid
1 2
1 2

@Uni-verse Uni-verse mentioned this issue Aug 18, 2023
Closed
arthuredelstein pushed a commit to brave/brave-core that referenced this issue Feb 13, 2024
@Brandon-T
Fix brave/brave-ios#5543: Relax SSL Certificate Validation to match a…
e66e15c 
…ll other browsers (brave/brave-ios#7588)

Relax SSL validation. Use Chromium validation over Apple's validation.
If Chromium returns a value indicating that the system should handle it, then we use Apple's validation.
However, we disable X509 validation and only validate it for SSL.

Signed-off-by: Brandon T <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Brandon-T Brandon-T

Labels
enhancement Epic: Security QA Pass - iPhone QA/Yes release-notes/include
Projects
None yet
Milestone
1.52
4 participants
@Brandon-T @iccub @Uni-verse @hffvld