今天上班之后,打开浏览器,很多Https网站出现打不开的情况,并且报错:
该服务器提供了一个未通过证书透明度政策公开披露的证书。某些证书必须通过证书透明度政策进行公开披露 以确保它们值得信任且能保护用户免遭攻击。
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
目前可以认为,这是一个旧版本Chrome的Bug。
Chromium Issue: https://bugs.chromium.org/p/chromium/issues/detail?id=664177
复现步骤
虽然不确定到底多旧才算旧,Chrome 53么?
因为 真的很旧 的Chrome连报错信息都很稀少。
在自己解决问题之前,忘记截图了,于是又在公司里找了一台装了Chrome的机器想要截个图,结果一个 Chrome 36报错信息如下
尝试在虚拟机里面安装一个Chrome 52,结果问题不能复现,于是中文版截图应该是找不到了,只好在网上搜了一个英文版的报错界面
Bug原因
看起来由Symantec颁发证书的网站受到了影响。这个Bug的起因就是Chrome因默认策略稀里糊涂把赛门铁克从列表里删掉了,然而赛门铁克应该是受信任的的。
1 2 3 |
The goal of such a policy is "Only trust Symantec if we're confident in CT" - that is, that the default policy would have been to remove Symantec, but that Symantec remains trusted, because we trust CT. However, the CT information has a built-in build-time bomb of 10 weeks - after 10 weeks from build time, the CT code no longer believes it can trust in CT information, because logs may have been added or removed. This is to ensure that an old Chrome client doesn't blindly trust logs known to be untrustworthy. For EV, this was an acceptable behaviour - as it means out of date Chrome versions no longer show the EV bar. This is also similar to the build-time bombs of HSTS and HPKP - except that they disable their security functionality after 10 weeks, and due to them being additive policies rather than subtractive, 'fail open' (read: make Chrome less secure). |
解决办法,只要升级到Chrome的最新版本就好了。目前已升级到55.0.2883.75m(64-bit),此问题未再出现。
关于Certificate Transparency
Certificate Transparency,直译为证书透明度。Certificate Transparency 的目标是提供一个开放的审计和监控系统,可以让任何域名所有者或者 CA 确定证书是否被错误签发或者被恶意使用,从而提高 HTTPS 网站的安全性。
更多关于Certificate Transparency的信息,请参见:
certificate-transparency.org: https://www.certificate-transparency.org/
Jerry Qu: Certificate Transparency 那些事: https://imququ.com/post/certificate-transparency.html
2 comments
漠伦
2016 年 12 月 8 日 在 下午 5:00 (UTC 8) Link to this comment
以前想折腾过给网站证书配 Certificate Transparency 但是发现它要重编译 Nginx……这就把我这个用现成后台管理系统的用户给挡出去了。_(:з」∠)_
话说 Chome Dev 56 已经对网站默认禁用 Flash 了。
石樱灯笼
2016 年 12 月 9 日 在 上午 10:20 (UTC 8) Link to this comment
早就该默认禁用Flash了。