Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow detection of MITM HTTPS proxies like ZScaler #30174

Merged
merged 2 commits into from
Aug 2, 2021
Merged

feat: Allow detection of MITM HTTPS proxies like ZScaler #30174

merged 2 commits into from
Aug 2, 2021

Conversation

poiru
Copy link
Contributor

@poiru poiru commented Jul 17, 2021
edited

For security purposes, Figma heavily restrics the origins that are
allowed to load within our Electron app. Unfortunately some corporate
environments use MITM proxies like ZScaler, which intercept our
connection to https://www.figma.com and serve a redirect to e.g.
https://gateway.zscloud.net before finally redirecting back to
https://www.figma.com.

In order to detect this situation and allow the navigation to proceed,
we need to be able to know whether or not the certificate for our own
origin is chained to a known root. We do this by exposing
CertVerifyResult::is_issued_by_known_root.

If the certification verification passed without the certificate being
tied to a known root, we can safely assume that we are dealing with a
MITM proxy that has its own root certificate installed locally on the
machine and therefore loosen our origin checks.

Notes: Add isIssuedByKnownRoot to ses.setCertificateVerifyProc callback

@poiru
feat: Allow detection of MITM HTTPS proxies like ZScaler
59bd367 
For security purposes, Figma heavily restrics the origins that are
allowed to load within our Electron app. Unfortunately some corporate
environments use MITM proxies like ZScaler, which intercepts our
connection to `https://www.figma.com` and serves a redirect to e.g.
`https://gateway.zscloud.net` before finally redirecting back to
`https://www.figma.com`.

In order to detect this situation and handle it gracefully, we need to
be able to know whether or not the certificate for our own origin
(`https://www.figma.com`) is chained to a known root. We do this by
exposesing `CertVerifyResult::is_issued_by_known_root`.

If the certification verification passed without the certificate being
tied to a known root, we can safely assume that we are dealing with a
MITM proxy that has its root CA installed locally on the machine. This
means that HTTPS can't be trusted so we might as well make life easier
for corporate users by loosening our origin restrictions without any
manual steps.
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Jul 17, 2021
@nornagon nornagon added the semver/minor backwards-compatible functionality label Jul 19, 2021
nornagon
nornagon reviewed Jul 19, 2021
View reviewed changes
docs/api/session.md Outdated Show resolved Hide resolved
Adriamo132
Adriamo132 approved these changes Jul 23, 2021
View reviewed changes
spec-main/api-session-spec.ts
@@ -590,6 +590,7 @@ describe('session module', () => {
expect(certificate.issuerCert.issuerCert.subject.commonName).to.equal('Root CA');
expect(certificate.issuerCert.issuerCert.issuerCert).to.equal(undefined);
expect(verificationResult).to.be.oneOf(['net::ERR_CERT_AUTHORITY_INVALID', 'net::ERR_CERT_COMMON_NAME_INVALID']);
expect(isIssuedByKnownRoot).to.be.false();
};
callback(-2);

This comment was marked as spam.

Sign in to view

poiru
poiru commented Jul 26, 2021
View reviewed changes
docs/api/session.md Outdated Show resolved Hide resolved
@poiru poiru requested a review from nornagon July 26, 2021 16:05
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Aug 2, 2021
@zcbenz zcbenz merged commit ced2e87 into electron:main Aug 2, 2021
@release-clerk
Copy link

release-clerk bot commented Aug 2, 2021

Release Notes Persisted

Add isIssuedByKnownRoot to ses.setCertificateVerifyProc callback

@poiru poiru deleted the poiru/known-root branch August 2, 2021 07:26
BlackHole1 pushed a commit to BlackHole1/electron that referenced this pull request Aug 30, 2021
@poiru @BlackHole1
feat: Allow detection of MITM HTTPS proxies like ZScaler (electron#30174
3e7b8f9 
)

* feat: Allow detection of MITM HTTPS proxies like ZScaler

For security purposes, Figma heavily restrics the origins that are
allowed to load within our Electron app. Unfortunately some corporate
environments use MITM proxies like ZScaler, which intercepts our
connection to `https://www.figma.com` and serves a redirect to e.g.
`https://gateway.zscloud.net` before finally redirecting back to
`https://www.figma.com`.

In order to detect this situation and handle it gracefully, we need to
be able to know whether or not the certificate for our own origin
(`https://www.figma.com`) is chained to a known root. We do this by
exposesing `CertVerifyResult::is_issued_by_known_root`.

If the certification verification passed without the certificate being
tied to a known root, we can safely assume that we are dealing with a
MITM proxy that has its root CA installed locally on the machine. This
means that HTTPS can't be trusted so we might as well make life easier
for corporate users by loosening our origin restrictions without any
manual steps.

* Tweak docs wording
This was referenced Aug 30, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nornagon nornagon nornagon approved these changes

@zcbenz zcbenz zcbenz approved these changes

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

@Adriamo132 Adriamo132 Adriamo132 approved these changes

Assignees
No one assigned
Labels
api-review/requested 🗳 no-backport semver/minor backwards-compatible functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@poiru @nornagon @zcbenz @MarshallOfSound @Adriamo132