6

Chrome requires SSL Certificates to list the site name(s) in the subject alternative name (SAN) to be trusted. Usage of common name only is not seen as secure enough, and will result in a certificate validation error in Chrome.

We are in the proces of updating our certificates, but need to know the urgency. We do not support Chrome for a lot of corporate / internal sites (yet).

Is it known when / how other browsers will implement this security restriction? Will IE / Edge / Firefox / Safari follow this improvement?

oɔɯǝɹ
  • 528
  • 2
  • 6
  • 18
  • 4
    *"Usage of common name only is not seen as secure enough."* - It is not a security issue but simply that use of CN was declared obsolete for ages. – Steffen Ullrich Nov 01 '17 at 10:49
  • You using a private PKI? Public ones have used the SAN for ages. – ISMSDEV Nov 01 '17 at 10:54
  • Yes, private PKI. We are in the process of updating the internally used procedures, practices, etc.. – oɔɯǝɹ Nov 01 '17 at 10:56
  • 1
    Related: Thread for Chrome: 2017-01-28, Chromium security-dev forum, Ryan Sleevi, [*Intent to Remove: Support for commonName matching in certificates*](https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo) (Related Firefox/Mozilla [Bug 1245280](https://bugzilla.mozilla.org/show_bug.cgi?id=1245280) is linked to from there.) – StackzOfZtuff Nov 01 '17 at 14:10
  • 1
    I'm voting to close this question as off-topic because only the internal dev teams of these products can speak to their development roadmaps. – schroeder Nov 02 '17 at 14:42
  • I really do not understand that close vote. I believe the information is relevant and security related. Availabillity of an answer is not a good reason to close a question (imho). – oɔɯǝɹ Nov 02 '17 at 15:53
  • I asked about the close reasoning on meta : https://security.meta.stackexchange.com/q/2807/15673 – oɔɯǝɹ Nov 02 '17 at 16:09
  • @oɔɯǝɹ In fact, when using Chrome Cannary version 65 (Beta Chrome), I do not get any blocking with corporate certificate(private PKI) using CN. Is it normal ? I would expect blocking starting from version 65... – crypto-learner Jan 18 '18 at 14:45

1 Answers1

7

IE probably never

IE is a dead product, it'll probably stay doing what it's currently doing unless there's some major security issue forcing Microsoft to issue a special security update to disable CN validation.

Firefox already there

Firefox already no longer recognize CN for new certificates signed by public PKIs, (deadline was anything issued on/after 2016-08-23) but still allow fallback to CN for non-built in CAs. Since Firefox is an open source product, for items like these, removing CN support likely will require a volunteer that actually goes forward to provide a patch to implement the removal, and such patch likely will only get merged if retaining any CN support is preventing some other major improvements to Firefox or the web/PKI infrastructure as a whole. There's really no big hurry for this removal, as keeping it around doesn't seem to prevent anyone from doing what they need to do at the moment, and the current solution of differentiating built in and imported certificate seems to satisfy Firefox's users for the moment.

Edge/Safari: unknown

Edge and Safari are a Microsoft's and Apple's products, keeping or removing support likely will depend in their respective commercial influences.

Further reading/tracking: ChromeStatus

So far, according to ChromeStatus: Support for commonName matching in Certificates, there doesn't seem to be any public communication from Microsoft and Apple for this topic.

Community
  • 1
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • I'm looking for exact answers, not speculation. – oɔɯǝɹ Nov 01 '17 at 14:27
  • 7
    @oɔɯǝɹ: if you would give me a *working* crystal ball, then I can give you exact answer. Really, the best source available is the chromestatus link above, that site keeps tracks of all the major browser vendor's responses when they're known and publicly available. Reading the Mozilla's Bugzilla issue I linked also can give you a broader idea how the issue is perceived by Firefox devs and users. – Lie Ryan Nov 01 '17 at 14:43
  • I understand that we both don't know the roadmap for IE. In that case it would be more prudent to write that (perhaps as a comment, not an answer). I'm looking for someone who does know the answer. – oɔɯǝɹ Nov 01 '17 at 14:49
  • So the core question is: when will Microsoft Patch their browser? Only Microsoft can answer that. PS: IE will most likely never get an update. They will do it in edge instead – Serverfrog Nov 01 '17 at 14:54
  • 7
    This answer is as good as it gets. If you have googled a bit before asking this question, and didn't find anything, you would have to have a FFox/IE/Safari developer on hand to tell you exactly. Everything else is speculation. – Tom K. Nov 01 '17 at 14:54
  • @oɔɯǝɹ so ... you're asking for a IE or Mozilla dev to answer? Wouldn't this be a better question for *their* forums? – schroeder Nov 02 '17 at 08:38
  • You never know who comes by on stackoverflow. I believe i have a better chance here. But I do value the suggestion. – oɔɯǝɹ Nov 02 '17 at 08:42