Chrome turning down webauthn for websites with TLS certificate errors from Nina Satragno on 2022-11-24 (public-webauthn@w3.org from November 2022)

From: Nina Satragno <nso@google.com>
Date: Thu, 24 Nov 2022 14:01:22 -0500
To: public-webauthn@w3.org
Message-ID: <CAGisG_g0BU0F2r-EpM=T67gBraCCtr=BeZSeSgjKfzgJ_pSthQ@mail.gmail.com>

Web Authentication WG,

Starting on M110, Chrome will stop allowing WebAuthn requests on websites
with TLS certificate errors. The criteria will be the same used for showing
danger interstitials or a "Not secure" pill on the omnibox. This will
prevent bad actors from generating valid assertions by mitm'ing users who
may skip the interstitial.

For developers, this behaviour can be overridden by running chrome with the
--disable-features=DisableWebAuthnWithBrokenCerts flag. Enterprises can use
the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.

Happy hacking,
-- 

[image: Google Logo]
Nina Satragno
Ingeniera en Informática
she/her
nso@google.com

Received on Thursday, 24 November 2022 19:01:47 UTC