Flag to allow user-installed certificates

[ghost]

Is your feature request related to privacy?

I'm not sure...

Is there a patch available for this feature somewhere?

Errr...

Describe the solution you would like

Censorship-circumvention tool like Accesser using domain fronting need a MITM to intercept HTTPS traffic for removing SNI

#431 A user-installed CA is required sometimes for debugging purpose

Describe alternatives you have considered

Fennec F-Droid respect Android's certificate storage, as well as user-trusted CAs

Related #918

[Disqu3-mirOir-qt]

i agree lasted update broken my adblocker capacity

[Fei1Yang]

Censorship-circumvention tool like Accesser using domain fronting need a MITM to intercept HTTPS traffic for removing SNI

You can use phantomsocks, it won't intercept the content of your HTTPS traffic, also it has more anti-censorship methods.

#431 A user-installed CA is required sometimes for debugging purpose

There is already a mobile devices simulator on desktop Chromium, so debugging on real mobile devices is really not that necessary.

[ghost]

Using phantomsocks on mobile devices adds another requirements (ROOT)

It's possible to do it on desktop, but I didn't see why it's necessary for Bromite to disallow custom CA

[jeffersoncheang]

Agree. I'm not sure what's dev's intention on this but it just broke my system-wide adblocker function, I can't surf any websites now. On my non-rooted device, phantomsocks is not viable.
Please consider making it an option to permit/ restrict user-installed cert.

[uazo]

Please consider making it an option to permit/ restrict user-installed cert.

what do you think about it @csagan5? I also think a flag is perfect.
This request is in line with "Take back your browser"

[csagan5]

@uazo it is not possible to have a flag for this, as far as I know; it is an application-level configuration: see https://developer.android.com/training/articles/security-config

In the desktop version there is a feature to install certificates from the browser though; that would be the best way to allow this, but we do not have the resources to develop an UI for that.

This request is in line with "Take back your browser"

At the expense of the less literate (and thus weaker) users.

Up until now a lot of malicious apps or APTs have abused the user certificates functionality; this patch is intended to protect those users who are not aware of the installed user certificates that they are using.

Android 11 will prevent apps from proposing a CA certificate installation, see https://httptoolkit.tech/blog/android-11-trust-ca-certificates/

That will improve the situation quite sensibly; I will consider removing the patch because it goes against an Android feature; note that the users that benefit most from this patch are not here represented: only those that experienced a functionality breakage are.

[jeffersoncheang]

Hi @csagan5 , thanks for providing a deeper insight on why this feature is added. Appreciate your good effort and intention.

From my understanding, on system level, user should have understood and acknowledged the potential risk of installing a third party CA certificate, before the installation happens.

On app level, say Bromite, this patch acts as another layer of security which benefits most users. However, would it be feasible to prompt an one-time notification window stating the risk of third party CA certificate before user proceeds to use the app? (Just thinking out loud, it may/ may not be helpful at all)

Edit: That way, the functionality of other apps will not be interfered.
To add: Understand Bromite dev added this patch to help user with good grace, User should be the one who bears the risk ownership should he/she willingly installs any third party certificate. Nothing to blame on dev if one is under malicious app attack.

[uazo]

it is not possible to have a flag for this, as far as I know;

you don't think this has anything to do with it?
https://source.chromium.org/chromium/chromium/src/+/master:net/android/java/src/org/chromium/net/AndroidNetworkLibrary.java;l=115
native counterpart https://source.chromium.org/chromium/chromium/src/+/master:net/android/network_library.cc;l=26

see boolean isKnownRoot(X509Certificate root) here https://source.chromium.org/chromium/chromium/src/+/master:net/android/java/src/org/chromium/net/X509Util.java;l=402

[ukuehn]

Dear csagan5,

one positive aspect of user-installed certificates has not yet been discussed here: when you run some own infrastructure, including your own (small) PKI. Essentially this patch prevents me from using this kind of security functionality, and this is where I noticed the changed functionality first.

To understand a bit better the balance between the security against unsuspecting users getting a malicious certificate installed and the security benefit of actually using you own certificate, could you point to some reports or similar on how large this issue of installing rogue certificates is? A quick search did not yield to much usable results for me.

Thanks.

p.s.: Thinking about possible indicators, would it be difficult to add functionality showing if (or how many) user-installed certificates are present in the trust store?

[csagan5]

However, would it be feasible to prompt an one-time notification window stating the risk of third party CA certificate before user proceeds to use the app?

I have added a link to the Android feature that the patch changes in the comment you are replying to. It is an OS feature, not an app feature.

p.s.: Thinking about possible indicators, would it be difficult to add functionality showing if (or how many) user-installed certificates are present in the trust store?

Android 11 will make it more difficult for users to install root CA certificates because apps will not be allowed to initiate the interaction, see the article I posted in my link.

could you point to some reports or similar on how large this issue of installing rogue certificates is? A quick search did not yield to much usable results for me.

See https://www.eff.org/deeplinks/2020/03/victory-android-11-rolls-out-improved-certificate-warnings

see boolean isKnownRoot(X509Certificate root) here https://source.chromium.org/chromium/chromium/src/+/master:net/android/java/src/org/chromium/net/X509Util.java;l=402

@uazo the feature was added in https://codereview.chromium.org/6793041 but it is currently unused in Chromium; yes, I think this could be instrumented for a flag, nice finding.

[csagan5]

The patch has been removed in 88.0.4324.185; we need a new patch to implement the flag as @uazo described.

I will keep this issue open until that is implemented.

[dtaylor84]

I'm still seeing untrusted certificate errors with 4324.185.

[manishxmadan]

Just tested 88.0.4324.185 , There are still certificate errors.

[csagan5]

I see that the patch is still there by mistake; will be dropped in next release.

[csagan5]

The patch is dropped in 88.0.4324.187; there will be a flag in future, disabled by default, to allow user certificates.

[uazo]

note to me:
check why cookies are active in this feedback, while in the code it says that they should not be:

Call:
https://source.chromium.org/chromium/chromium/src/+/master:net/url_request/report_sender.cc;l=50;drc=2aab98da44af591cec7fd9424318281cc1565859;bpv=1;bpt=1

TrafficAnnotation:
https://source.chromium.org/chromium/chromium/src/+/master:services/network/expect_ct_reporter.cc;l=134;drc=70365c5dbd0628df048dcc4e81740b3932411574

NOTE: ExpectCTReporting is FEATURE_ENABLED_BY_DEFAULT

[csagan5]

NOTE: ExpectCTReporting is FEATURE_ENABLED_BY_DEFAULT

Related: #995

[csagan5]

Fixed in 90.0.4430.92.

[csagan5]

note to me:
check why cookies are active in this feedback, while in the code it says that they should not be:

@uazo did you add this to the project issue tracker?

[uazo]

there is no need, the cookies are disabled I have already checked