-
Notifications
You must be signed in to change notification settings - Fork 15k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Allow detection of MITM HTTPS proxies like ZScaler #30174
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For security purposes, Figma heavily restrics the origins that are allowed to load within our Electron app. Unfortunately some corporate environments use MITM proxies like ZScaler, which intercepts our connection to `https://www.figma.com` and serves a redirect to e.g. `https://gateway.zscloud.net` before finally redirecting back to `https://www.figma.com`. In order to detect this situation and handle it gracefully, we need to be able to know whether or not the certificate for our own origin (`https://www.figma.com`) is chained to a known root. We do this by exposesing `CertVerifyResult::is_issued_by_known_root`. If the certification verification passed without the certificate being tied to a known root, we can safely assume that we are dealing with a MITM proxy that has its root CA installed locally on the machine. This means that HTTPS can't be trusted so we might as well make life easier for corporate users by loosening our origin restrictions without any manual steps.
MarshallOfSound
approved these changes
Jul 18, 2021
nornagon
reviewed
Jul 19, 2021
Adriamo132
approved these changes
Jul 23, 2021
@@ -590,6 +590,7 @@ describe('session module', () => { | |||
expect(certificate.issuerCert.issuerCert.subject.commonName).to.equal('Root CA'); | |||
expect(certificate.issuerCert.issuerCert.issuerCert).to.equal(undefined); | |||
expect(verificationResult).to.be.oneOf(['net::ERR_CERT_AUTHORITY_INVALID', 'net::ERR_CERT_COMMON_NAME_INVALID']); | |||
expect(isIssuedByKnownRoot).to.be.false(); | |||
}; | |||
callback(-2); |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
poiru
commented
Jul 26, 2021
nornagon
approved these changes
Jul 26, 2021
zcbenz
approved these changes
Aug 2, 2021
electron-cation
bot
added
api-review/requested 🗳
and removed
api-review/approved ✅
labels
Aug 2, 2021
Release Notes Persisted
|
BlackHole1
pushed a commit
to BlackHole1/electron
that referenced
this pull request
Aug 30, 2021
) * feat: Allow detection of MITM HTTPS proxies like ZScaler For security purposes, Figma heavily restrics the origins that are allowed to load within our Electron app. Unfortunately some corporate environments use MITM proxies like ZScaler, which intercepts our connection to `https://www.figma.com` and serves a redirect to e.g. `https://gateway.zscloud.net` before finally redirecting back to `https://www.figma.com`. In order to detect this situation and handle it gracefully, we need to be able to know whether or not the certificate for our own origin (`https://www.figma.com`) is chained to a known root. We do this by exposesing `CertVerifyResult::is_issued_by_known_root`. If the certification verification passed without the certificate being tied to a known root, we can safely assume that we are dealing with a MITM proxy that has its root CA installed locally on the machine. This means that HTTPS can't be trusted so we might as well make life easier for corporate users by loosening our origin restrictions without any manual steps. * Tweak docs wording
This was referenced Aug 30, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For security purposes, Figma heavily restrics the origins that are
allowed to load within our Electron app. Unfortunately some corporate
environments use MITM proxies like ZScaler, which intercept our
connection to
https://www.figma.com
and serve a redirect to e.g.https://gateway.zscloud.net
before finally redirecting back tohttps://www.figma.com
.In order to detect this situation and allow the navigation to proceed,
we need to be able to know whether or not the certificate for our own
origin is chained to a known root. We do this by exposing
CertVerifyResult::is_issued_by_known_root
.If the certification verification passed without the certificate being
tied to a known root, we can safely assume that we are dealing with a
MITM proxy that has its own root certificate installed locally on the
machine and therefore loosen our origin checks.
Notes: Add
isIssuedByKnownRoot
toses.setCertificateVerifyProc
callback