PSA: WebView, Chrome Accept Revoked SSL Certificates

TL;DR: If your app uses WebView (whether the new 4.4 Chromium-flavored one or the classic one), and it loads a Web page that presents a revoked SSL certificate (whether due to a server configuration error, a Martian-in-the-middle attack, or whatever), WebView will load and show the page anyway, with no warning to the user.

This came up due to due to this issue filed a day ago on the Android issue tracker, pointing out that the Chrome browser on Android blows past revoked SSL certificates as well. A lot of SSL certificates are being revoked now as a result of heartbleed, and the person filing the issue felt that it was important that Chrome do what some other Android browsers do, like Firefox, and alert the user to the potential security issue.

Google, both in that issue and the original issue filed against Chrome, disagrees.

I do not know of an in-WebView way of addressing this; if I hear of one, I will blog about it.

However, based on some light testing, `HttpURLConnection` and `OkHttp` do seem to pay attention to the revocation status of the SSL certificate. Leastways, if I load [this Web page](https://revoked.grc.com/) in Chrome or a `WebView`, the page comes up, but if I try to download the page contents using `HttpURLConnection` or `OkHttp`, I get an empty response. I don't see an `SSLHandshakeException` as I would have expected, though, which [worries me a fair bit](https://stackoverflow.com/questions/23139438/behavior-of-httpurlconnection-for-url-with-revoked-ssl-certificate).

UPDATE: HttpURLConnection and OkHttp do indeed seem to skip by SSL certificate revocation checking. See this post for more.

Note that I have not tested HttpClient on Android and so do not know if it will or will not pay attention to an SSL certificate’s revocation status.

UPDATE #2: HttpClient also skips by SSL certificate revocation checking. See this post for more.

If you have any additional insights on this issue, feel free to contact me.

 

Meta


Creative Commons License